Merge pull request #595 from crosbymichael/masking

Update masked and ro paths
2016-03-01 11:14:20 +08:00 · 2016-03-01 11:14:20 +08:00 · 146643f1f9
parent b1872a068e a12336eb3e
commit 146643f1f9
2 changed files with 20 additions and 9 deletions
--- a/spec.go
+++ b/spec.go
@ -294,15 +294,9 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config
 		return nil, err
 	}
 	config.Cgroups = c
-	if config.Readonlyfs {
-		setReadonly(config)
-		config.MaskPaths = []string{
-			"/proc/kcore",
-		}
-		config.ReadonlyPaths = []string{
-			"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
-		}
-	}
+	// set extra path masking for libcontainer for the various unsafe places in proc
+	config.MaskPaths = maskedPaths
+	config.ReadonlyPaths = readonlyPaths
 	seccomp, err := setupSeccomp(&spec.Linux.Seccomp)
 	if err != nil {
 		return nil, err
--- a/utils.go
+++ b/utils.go
@ -122,6 +122,23 @@ var allowedDevices = []*configs.Device{
 	},
 }

+var (
+	maskedPaths = []string{
+		"/proc/kcore",
+		"/proc/latency_stats",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+	}
+	readonlyPaths = []string{
+		"/proc/asound",
+		"/proc/bus",
+		"/proc/fs",
+		"/proc/irq",
+		"/proc/sys",
+		"/proc/sysrq-trigger",
+	}
+)
+
 var container libcontainer.Container

 func containerPreload(context *cli.Context) error {