Google Git
Sign in
fuchsia / third_party / github.com / moby / moby / d5ebb60bddbabea0439213501f4f6ed494b23cba^! / .
commitd5ebb60bddbabea0439213501f4f6ed494b23cba[log] [tgz]
authorMichael Crosby <crosbymichael@gmail.com>Tue Apr 21 17:31:05 2015 -0700
committerMichael Crosby <crosbymichael@gmail.com>Thu Apr 30 14:08:02 2015 -0700
tree9ef054b02650a5fd4a57ba5c3b8376fdab25d7e5
parent83c5131acd40ec6207c863954cafb0d9e30a072c [diff]
Allow libcontainer to eval symlink destination

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Add tests for mounting into /proc and /sys

These two locations should be prohibited from mounting volumes into
those destinations.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index a988fba..d278249 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go

@@ -6,12 +6,10 @@
 	"errors"
 	"fmt"
 	"net"
-	"path/filepath"
 	"strings"
 	"syscall"
 
 	"github.com/docker/docker/daemon/execdriver"
-	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/configs"
 	"github.com/docker/libcontainer/devices"
@@ -228,10 +226,6 @@
 	container.Mounts = defaultMounts
 
 	for _, m := range c.Mounts {
-		dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs)
-		if err != nil {
-			return err
-		}
 		flags := syscall.MS_BIND | syscall.MS_REC
 		if !m.Writable {
 			flags |= syscall.MS_RDONLY
@@ -239,10 +233,9 @@
 		if m.Slave {
 			flags |= syscall.MS_SLAVE
 		}
-
 		container.Mounts = append(container.Mounts, &configs.Mount{
 			Source:      m.Source,
-			Destination: dest,
+			Destination: m.Destination,
 			Device:      "bind",
 			Flags:       flags,
 		})

diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 9911614..9f7f578 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go

@@ -3487,3 +3487,21 @@
 	}
 	logDone("run - read /proc/latency_stats")
 }
+
+func TestMountIntoProc(t *testing.T) {
+	defer deleteAllContainers()
+	code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true"))
+	if err == nil || code == 0 {
+		t.Fatal("container should not be able to mount into /proc")
+	}
+	logDone("run - mount into proc")
+}
+
+func TestMountIntoSys(t *testing.T) {
+	defer deleteAllContainers()
+	code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true"))
+	if err == nil || code == 0 {
+		t.Fatal("container should not be able to mount into /sys")
+	}
+	logDone("run - mount into sys")
+}