From d5ebb60bddbabea0439213501f4f6ed494b23cba Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 21 Apr 2015 17:31:05 -0700 Subject: [PATCH] Allow libcontainer to eval symlink destination Signed-off-by: Michael Crosby Add tests for mounting into /proc and /sys These two locations should be prohibited from mounting volumes into those destinations. Signed-off-by: Michael Crosby --- daemon/execdriver/native/create.go | 9 +-------- integration-cli/docker_cli_run_test.go | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index a988fba52..d2782499c 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -6,12 +6,10 @@ import ( "errors" "fmt" "net" - "path/filepath" "strings" "syscall" "github.com/docker/docker/daemon/execdriver" - "github.com/docker/docker/pkg/symlink" "github.com/docker/libcontainer/apparmor" "github.com/docker/libcontainer/configs" "github.com/docker/libcontainer/devices" @@ -228,10 +226,6 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e container.Mounts = defaultMounts for _, m := range c.Mounts { - dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs) - if err != nil { - return err - } flags := syscall.MS_BIND | syscall.MS_REC if !m.Writable { flags |= syscall.MS_RDONLY @@ -239,10 +233,9 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e if m.Slave { flags |= syscall.MS_SLAVE } - container.Mounts = append(container.Mounts, &configs.Mount{ Source: m.Source, - Destination: dest, + Destination: m.Destination, Device: "bind", Flags: flags, }) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 9911614e1..9f7f578e0 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -3487,3 +3487,21 @@ func TestRunReadProcLatency(t *testing.T) { } logDone("run - read /proc/latency_stats") } + +func TestMountIntoProc(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /proc") + } + logDone("run - mount into proc") +} + +func TestMountIntoSys(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /sys") + } + logDone("run - mount into sys") +}