validate bind mounts on the server side
This changes the server side code to make sure that: 1) the source of a bind mount isn't / The bind mount "/:/foo" isn't allowed. 2) Check that the source exists The source to be bind mounted must exist. This fixes issue #2070.
This commit is contained in:
unclejack
parent
f1f39616eb
commit
4d2ba779e1
1 changed files with 19 additions and 0 deletions
19
server.go
19
server.go
|
|
@ -1316,6 +1316,25 @@ func (srv *Server) RegisterLinks(name string, hostConfig *HostConfig) error {
|
|||
func (srv *Server) ContainerStart(name string, hostConfig *HostConfig) error {
|
||||
runtime := srv.runtime
|
||||
container := runtime.Get(name)
|
||||
|
||||
if hostConfig != nil {
|
||||
for _, bind := range hostConfig.Binds {
|
||||
splitBind := strings.Split(bind, ":")
|
||||
source := splitBind[0]
|
||||
|
||||
// refuse to bind mount "/" to the container
|
||||
if source == "/" {
|
||||
return fmt.Errorf("Invalid bind mount '%s' : source can't be '/'", bind)
|
||||
}
|
||||
|
||||
// ensure the source exists on the host
|
||||
_, err := os.Stat(source)
|
||||
if err != nil && os.IsNotExist(err) {
|
||||
return fmt.Errorf("Invalid bind mount '%s' : source doesn't exist", bind)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if container == nil {
|
||||
return fmt.Errorf("No such container: %s", name)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue