Browse code
Allow libcontainer to eval symlink destination
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add tests for mounting into /proc and /sys
These two locations should be prohibited from mounting volumes into
those destinations.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby authored on 2015/04/22 09:31:05Showing 2 changed files
| ... | ... |
@@ -6,12 +6,10 @@ import ( |
| 6 | 6 |
"errors" |
| 7 | 7 |
"fmt" |
| 8 | 8 |
"net" |
| 9 |
- "path/filepath" |
|
| 10 | 9 |
"strings" |
| 11 | 10 |
"syscall" |
| 12 | 11 |
|
| 13 | 12 |
"github.com/docker/docker/daemon/execdriver" |
| 14 |
- "github.com/docker/docker/pkg/symlink" |
|
| 15 | 13 |
"github.com/docker/libcontainer/apparmor" |
| 16 | 14 |
"github.com/docker/libcontainer/configs" |
| 17 | 15 |
"github.com/docker/libcontainer/devices" |
| ... | ... |
@@ -231,10 +229,6 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e |
| 231 | 231 |
container.Mounts = defaultMounts |
| 232 | 232 |
|
| 233 | 233 |
for _, m := range c.Mounts {
|
| 234 |
- dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs) |
|
| 235 |
- if err != nil {
|
|
| 236 |
- return err |
|
| 237 |
- } |
|
| 238 | 234 |
flags := syscall.MS_BIND | syscall.MS_REC |
| 239 | 235 |
if !m.Writable {
|
| 240 | 236 |
flags |= syscall.MS_RDONLY |
| ... | ... |
@@ -242,10 +236,9 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e |
| 242 | 242 |
if m.Slave {
|
| 243 | 243 |
flags |= syscall.MS_SLAVE |
| 244 | 244 |
} |
| 245 |
- |
|
| 246 | 245 |
container.Mounts = append(container.Mounts, &configs.Mount{
|
| 247 | 246 |
Source: m.Source, |
| 248 |
- Destination: dest, |
|
| 247 |
+ Destination: m.Destination, |
|
| 249 | 248 |
Device: "bind", |
| 250 | 249 |
Flags: flags, |
| 251 | 250 |
}) |
| ... | ... |
@@ -3107,3 +3107,21 @@ func TestRunReadProcLatency(t *testing.T) {
|
| 3107 | 3107 |
} |
| 3108 | 3108 |
logDone("run - read /proc/latency_stats")
|
| 3109 | 3109 |
} |
| 3110 |
+ |
|
| 3111 |
+func TestMountIntoProc(t *testing.T) {
|
|
| 3112 |
+ defer deleteAllContainers() |
|
| 3113 |
+ code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true")) |
|
| 3114 |
+ if err == nil || code == 0 {
|
|
| 3115 |
+ t.Fatal("container should not be able to mount into /proc")
|
|
| 3116 |
+ } |
|
| 3117 |
+ logDone("run - mount into proc")
|
|
| 3118 |
+} |
|
| 3119 |
+ |
|
| 3120 |
+func TestMountIntoSys(t *testing.T) {
|
|
| 3121 |
+ defer deleteAllContainers() |
|
| 3122 |
+ code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true")) |
|
| 3123 |
+ if err == nil || code == 0 {
|
|
| 3124 |
+ t.Fatal("container should not be able to mount into /sys")
|
|
| 3125 |
+ } |
|
| 3126 |
+ logDone("run - mount into sys")
|
|
| 3127 |
+} |