|
|
@@ -3466,6 +3466,84 @@ func (s *DockerSuite) TestRunContainerWithCgroupParentAbsPath(c *check.C) {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+// TestRunInvalidCgroupParent checks that a specially-crafted cgroup parent doesn't cause Docker to crash or start modifying /.
|
|
|
+func (s *DockerSuite) TestRunInvalidCgroupParent(c *check.C) {
|
|
|
+ // Not applicable on Windows as uses Unix specific functionality
|
|
|
+ testRequires(c, DaemonIsLinux)
|
|
|
+
|
|
|
+ cgroupParent := "../../../../../../../../SHOULD_NOT_EXIST"
|
|
|
+ cleanCgroupParent := "SHOULD_NOT_EXIST"
|
|
|
+ name := "cgroup-invalid-test"
|
|
|
+
|
|
|
+ out, _, err := dockerCmdWithError("run", "--cgroup-parent", cgroupParent, "--name", name, "busybox", "cat", "/proc/self/cgroup")
|
|
|
+ if err != nil {
|
|
|
+ // XXX: This may include a daemon crash.
|
|
|
+ c.Fatalf("unexpected failure when running container with --cgroup-parent option - %s\n%v", string(out), err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // We expect "/SHOULD_NOT_EXIST" to not exist. If not, we have a security issue.
|
|
|
+ if _, err := os.Stat("/SHOULD_NOT_EXIST"); err == nil || !os.IsNotExist(err) {
|
|
|
+ c.Fatalf("SECURITY: --cgroup-parent with ../../ relative paths cause files to be created in the host (this is bad) !!")
|
|
|
+ }
|
|
|
+
|
|
|
+ cgroupPaths := parseCgroupPaths(string(out))
|
|
|
+ if len(cgroupPaths) == 0 {
|
|
|
+ c.Fatalf("unexpected output - %q", string(out))
|
|
|
+ }
|
|
|
+ id, err := getIDByName(name)
|
|
|
+ c.Assert(err, check.IsNil)
|
|
|
+ expectedCgroup := path.Join(cleanCgroupParent, id)
|
|
|
+ found := false
|
|
|
+ for _, path := range cgroupPaths {
|
|
|
+ if strings.HasSuffix(path, expectedCgroup) {
|
|
|
+ found = true
|
|
|
+ break
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if !found {
|
|
|
+ c.Fatalf("unexpected cgroup paths. Expected at least one cgroup path to have suffix %q. Cgroup Paths: %v", expectedCgroup, cgroupPaths)
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+// TestRunInvalidCgroupParent checks that a specially-crafted cgroup parent doesn't cause Docker to crash or start modifying /.
|
|
|
+func (s *DockerSuite) TestRunAbsoluteInvalidCgroupParent(c *check.C) {
|
|
|
+ // Not applicable on Windows as uses Unix specific functionality
|
|
|
+ testRequires(c, DaemonIsLinux)
|
|
|
+
|
|
|
+ cgroupParent := "/../../../../../../../../SHOULD_NOT_EXIST"
|
|
|
+ cleanCgroupParent := "/SHOULD_NOT_EXIST"
|
|
|
+ name := "cgroup-absolute-invalid-test"
|
|
|
+
|
|
|
+ out, _, err := dockerCmdWithError("run", "--cgroup-parent", cgroupParent, "--name", name, "busybox", "cat", "/proc/self/cgroup")
|
|
|
+ if err != nil {
|
|
|
+ // XXX: This may include a daemon crash.
|
|
|
+ c.Fatalf("unexpected failure when running container with --cgroup-parent option - %s\n%v", string(out), err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // We expect "/SHOULD_NOT_EXIST" to not exist. If not, we have a security issue.
|
|
|
+ if _, err := os.Stat("/SHOULD_NOT_EXIST"); err == nil || !os.IsNotExist(err) {
|
|
|
+ c.Fatalf("SECURITY: --cgroup-parent with /../../ garbage paths cause files to be created in the host (this is bad) !!")
|
|
|
+ }
|
|
|
+
|
|
|
+ cgroupPaths := parseCgroupPaths(string(out))
|
|
|
+ if len(cgroupPaths) == 0 {
|
|
|
+ c.Fatalf("unexpected output - %q", string(out))
|
|
|
+ }
|
|
|
+ id, err := getIDByName(name)
|
|
|
+ c.Assert(err, check.IsNil)
|
|
|
+ expectedCgroup := path.Join(cleanCgroupParent, id)
|
|
|
+ found := false
|
|
|
+ for _, path := range cgroupPaths {
|
|
|
+ if strings.HasSuffix(path, expectedCgroup) {
|
|
|
+ found = true
|
|
|
+ break
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if !found {
|
|
|
+ c.Fatalf("unexpected cgroup paths. Expected at least one cgroup path to have suffix %q. Cgroup Paths: %v", expectedCgroup, cgroupPaths)
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
func (s *DockerSuite) TestRunContainerWithCgroupMountRO(c *check.C) {
|
|
|
// Not applicable on Windows as uses Unix specific functionality
|
|
|
// --read-only + userns has remount issues
|
Aleksa Sarai