Add AllowedMounts configuration option, block any custom mounts if they are not in the AllowedMounts list

config/config.go

@@ -80,6 +80,9 @@ type Configuration struct {
 	// The location where the panel is running that this daemon should connect to
 	// to collect data and send events.
 	PanelLocation string `json:"remote" yaml:"remote"`
+
+	// AllowedMounts .
+	AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
 }
 
 // Defines the configuration of the internal SFTP server.

server/environment_docker.go

@@ -671,6 +671,17 @@ func (d *DockerEnvironment) Create() error {
 	}
 
 	for _, m := range d.Server.Mounts {
+		for _, allowed := range config.Get().AllowedMounts {
+			if !strings.HasPrefix(m.Source, allowed) {
+				continue
+			}
+
+			log.WithFields(log.Fields{
+				"server":    d.Server.Uuid,
+				"source":    m.Source,
+				"target":    m.Target,
+				"read_only": m.ReadOnly,
+			}).Debug("attaching mount to server's container")
 			mounts = append(mounts, mount.Mount{
 				Type: mount.TypeBind,
 
@@ -679,6 +690,7 @@ func (d *DockerEnvironment) Create() error {
 				ReadOnly: m.ReadOnly,
 			})
 		}
+	}
 
 	hostConf := &container.HostConfig{
 		PortBindings: d.portBindings(),