Merge pull request #1314 from runcom/overlay-mounts

libcontainer: rootfs_linux: support overlayfs
2017-02-08 16:17:01 +08:00 · 2017-02-08 16:17:01 +08:00 · a8d7eb7076
parent b263a43430 ca14e7b463
commit a8d7eb7076
1 changed files with 13 additions and 0 deletions
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@ -313,6 +313,19 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 			}
 		}
 	default:
+		// ensure that the destination of the mount is resolved of symlinks at mount time because
+		// any previous mounts can invalidate the next mount's destination.
+		// this can happen when a user specifies mounts within other mounts to cause breakouts or other
+		// evil stuff to try to escape the container's rootfs.
+		var err error
+		if dest, err = symlink.FollowSymlinkInScope(filepath.Join(rootfs, m.Destination), rootfs); err != nil {
+			return err
+		}
+		if err := checkMountDestination(rootfs, dest); err != nil {
+			return err
+		}
+		// update the mount with the correct dest after symlinks are resolved.
+		m.Destination = dest
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}