jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prohibit bind mounts into / 

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2015-04-30 10:23:42 -07:00
parent 3c25c9b9cf
commit e3e7c47123
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rootfs_linux.go
View File

@ -212,6 +212,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
// top of /proc or /sys. // top of /proc or /sys.
// dest is required to be an abs path and have any symlinks resolved before calling this function. // dest is required to be an abs path and have any symlinks resolved before calling this function.
func checkMountDestination(rootfs, dest string) error { func checkMountDestination(rootfs, dest string) error {
if filepath.Clean(rootfs) == filepath.Clean(dest) {
return fmt.Errorf("mounting into / is prohibited")
}
invalidDestinations := []string{ invalidDestinations := []string{
"/proc", "/proc",
"/sys", "/sys",
@ -232,6 +235,9 @@ func dirIsChild(root, dir string) bool {
rootParts = strings.Split(filepath.Clean(root), string(filepath.Separator)) rootParts = strings.Split(filepath.Clean(root), string(filepath.Separator))
dirParts = strings.Split(filepath.Clean(dir), string(filepath.Separator)) dirParts = strings.Split(filepath.Clean(dir), string(filepath.Separator))
) )
if len(dirParts) < len(rootParts) {
return false
}
for i, p := range rootParts { for i, p := range rootParts {
if p != dirParts[i] { if p != dirParts[i] {
return false return false

8
rootfs_linux_test.go
View File

@ -27,3 +27,11 @@ func TestCheckMountDestFalsePositive(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
func TestCheckMountRoot(t *testing.T) {
dest := "/rootfs"
err := checkMountDestination("/rootfs", dest)
if err == nil {
t.Fatal(err)
}
}