10 年之前 · a7a51306b1
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -82,16 +82,16 @@ func New() *configs.Config {
 
				 		},
			
 
				 		MaskPaths: []string{
			
 
				 			"/proc/kcore",
			
 
				+			"/proc/latency_stats",
			
 
				+			"/proc/timer_stats",
			
 
				 		},
			
 
				 		ReadonlyPaths: []string{
			
 
				 			"/proc/asound",
			
 
				 			"/proc/bus",
			
 
				 			"/proc/fs",
			
 
				 			"/proc/irq",
			
 
				-			"/proc/latency_stats",
			
 
				 			"/proc/sys",
			
 
				 			"/proc/sysrq-trigger",
			
 
				-			"/proc/timer_stats",
			
 
				 		},
			
 
				 	}
			
 
				 
			
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -3078,20 +3078,32 @@ func TestRunWriteToProcAsound(t *testing.T) {
 
				 	logDone("run - ro write to /proc/asound")
			
 
				 }
			
 
				 
			
 
				-func TestRunWriteToProcTimer(t *testing.T) {
			
 
				+func TestRunReadProcTimer(t *testing.T) {
			
 
				 	defer deleteAllContainers()
			
 
				-	code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/timer_stats"))
			
 
				-	if err == nil || code == 0 {
			
 
				-		t.Fatal("standard container should not be able to write to /proc/timer_stats")
			
 
				+	out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/timer_stats"))
			
 
				+	if err != nil || code != 0 {
			
 
				+		t.Fatal(err)
			
 
				+	}
			
 
				+	if strings.Trim(out, "\n ") != "" {
			
 
				+		t.Fatalf("expected to receive no output from /proc/timer_stats but received %q", out)
			
 
				 	}
			
 
				-	logDone("run - ro write to /proc/timer_stats")
			
 
				+	logDone("run - read /proc/timer_stats")
			
 
				 }
			
 
				 
			
 
				-func TestRunWriteToProcLatency(t *testing.T) {
			
 
				+func TestRunReadProcLatency(t *testing.T) {
			
 
				+	// some kernels don't have this configured so skip the test if this file is not found
			
 
				+	// on the host running the tests.
			
 
				+	if _, err := os.Stat("/proc/latency_stats"); err != nil {
			
 
				+		t.Skip()
			
 
				+		return
			
 
				+	}
			
 
				 	defer deleteAllContainers()
			
 
				-	code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/latency_stats"))
			
 
				-	if err == nil || code == 0 {
			
 
				-		t.Fatal("standard container should not be able to write to /proc/latency_stats")
			
 
				+	out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/latency_stats"))
			
 
				+	if err != nil || code != 0 {
			
 
				+		t.Fatal(err)
			
 
				+	}
			
 
				+	if strings.Trim(out, "\n ") != "" {
			
 
				+		t.Fatalf("expected to receive no output from /proc/latency_stats but received %q", out)
			
 
				 	}
			
 
				-	logDone("run - ro write to /proc/latency_stats")
			
 
				+	logDone("run - read /proc/latency_stats")
			
 
				 }