Merge pull request #303 from mrunalp/sysctl_validation

Add validation for sysctl

libcontainer/configs/validate/config.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
 )
@@ -35,6 +36,9 @@ func (v *ConfigValidator) Validate(config *configs.Config) error {
 	if err := v.usernamespace(config); err != nil {
 		return err
 	}
+	if err := v.sysctl(config); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -91,3 +95,44 @@ func (v *ConfigValidator) usernamespace(config *configs.Config) error {
 	}
 	return nil
 }
+
+// sysctl validates that the specified sysctl keys are valid or not.
+// /proc/sys isn't completely namespaced and depending on which namespaces
+// are specified, a subset of sysctls are permitted.
+func (v *ConfigValidator) sysctl(config *configs.Config) error {
+	validSysctlPrefixes := []string{}
+	validSysctlMap := make(map[string]bool)
+	if config.Namespaces.Contains(configs.NEWNET) {
+		validSysctlPrefixes = append(validSysctlPrefixes, "net.")
+	}
+	if config.Namespaces.Contains(configs.NEWIPC) {
+		validSysctlPrefixes = append(validSysctlPrefixes, "fs.mqueue.")
+		validSysctlMap = map[string]bool{
+			"kernel.msgmax":          true,
+			"kernel.msgmnb":          true,
+			"kernel.msgmni":          true,
+			"kernel.sem":             true,
+			"kernel.shmall":          true,
+			"kernel.shmmax":          true,
+			"kernel.shmmni":          true,
+			"kernel.shm_rmid_forced": true,
+		}
+	}
+	for s := range config.Sysctl {
+		if validSysctlMap[s] {
+			continue
+		}
+		valid := false
+		for _, vp := range validSysctlPrefixes {
+			if strings.HasPrefix(s, vp) {
+				valid = true
+				break
+			}
+		}
+		if !valid {
+			return fmt.Errorf("sysctl %q is not permitted in the config", s)
+		}
+	}
+
+	return nil
+}