Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add white list for bind mount check #452

Merged
merged 1 commit into from Jan 6, 2016
Merged

Add white list for bind mount check #452

merged 1 commit into from Jan 6, 2016

Conversation

hqhq
Copy link
Contributor

@hqhq hqhq commented Jan 4, 2016

Fixes: #400

It would be useful to use fuse to isolate proc info.

Signed-off-by: Qiang Huang h.huangqiang@huawei.com

@dqminh
Copy link
Contributor

dqminh commented Jan 4, 2016

LGTM

rajasec
rajasec reviewed Jan 4, 2016
View reviewed changes
libcontainer/rootfs_linux.go
@@ -299,6 +299,22 @@ func checkMountDestination(rootfs, dest string) error {
invalidDestinations := []string{
"/proc",
}
// White list, it should be sub directories of invalid destionations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hqhq
small typo in the comment, "invalid destionations" -> invalid destinations

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rajasec Thanks, updated.

mrunalp
mrunalp reviewed Jan 5, 2016
View reviewed changes
libcontainer/rootfs_linux.go
@@ -299,6 +299,22 @@ func checkMountDestination(rootfs, dest string) error {
invalidDestinations := []string{
"/proc",
}
// White list, it should be sub directories of invalid destinations
validDestinations := []string{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add why these files were chosen and use cases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mrunalp Updated.

@hqhq
Add white list for bind mount chec
9c1242e 
Fixes: opencontainers#400

It would be useful to use fuse to isolate proc info.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
@mrunalp
Copy link
Contributor

mrunalp commented Jan 6, 2016

LGTM

mrunalp pushed a commit that referenced this pull request Jan 6, 2016
Merge pull request #452 from hqhq/hq_bindmount_whitelist
4fda64b 
Add white list for bind mount check
@mrunalp mrunalp merged commit 4fda64b into opencontainers:master Jan 6, 2016
@hqhq hqhq deleted the hq_bindmount_whitelist branch January 7, 2016 08:37
@axelbodo axelbodo mentioned this pull request Jun 13, 2017
Closed
stefanberger pushed a commit to stefanberger/runc that referenced this pull request Sep 8, 2017
Merge pull request opencontainers#452 from wking/do-not-modify-filesy…
878fac1 
…stem-owners

config-linux: Make “don't modify filesystem permissions” generic
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status/0-triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@hqhq @dqminh @mrunalp @rajasec @GordonTheTurtle