Add AllowedMounts configuration option, block any custom mounts if they are not in the AllowedMounts list
This commit is contained in:
parent
63e7bde39c
commit
3a6050446f
|
@ -80,6 +80,9 @@ type Configuration struct {
|
||||||
// The location where the panel is running that this daemon should connect to
|
// The location where the panel is running that this daemon should connect to
|
||||||
// to collect data and send events.
|
// to collect data and send events.
|
||||||
PanelLocation string `json:"remote" yaml:"remote"`
|
PanelLocation string `json:"remote" yaml:"remote"`
|
||||||
|
|
||||||
|
// AllowedMounts .
|
||||||
|
AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Defines the configuration of the internal SFTP server.
|
// Defines the configuration of the internal SFTP server.
|
||||||
|
|
|
@ -122,7 +122,7 @@ func (d *DockerEnvironment) InSituUpdate() error {
|
||||||
return errors.WithStack(err)
|
return errors.WithStack(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx, _ := context.WithTimeout(context.Background(), time.Second * 10)
|
ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
|
||||||
u := container.UpdateConfig{
|
u := container.UpdateConfig{
|
||||||
Resources: d.getResourcesForServer(),
|
Resources: d.getResourcesForServer(),
|
||||||
}
|
}
|
||||||
|
@ -254,7 +254,7 @@ func (d *DockerEnvironment) Start() error {
|
||||||
return errors.WithStack(err)
|
return errors.WithStack(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx, _ := context.WithTimeout(context.Background(), time.Second * 10)
|
ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
|
||||||
if err := d.Client.ContainerStart(ctx, d.Server.Uuid, types.ContainerStartOptions{}); err != nil {
|
if err := d.Client.ContainerStart(ctx, d.Server.Uuid, types.ContainerStartOptions{}); err != nil {
|
||||||
return errors.WithStack(err)
|
return errors.WithStack(err)
|
||||||
}
|
}
|
||||||
|
@ -671,13 +671,25 @@ func (d *DockerEnvironment) Create() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, m := range d.Server.Mounts {
|
for _, m := range d.Server.Mounts {
|
||||||
mounts = append(mounts, mount.Mount{
|
for _, allowed := range config.Get().AllowedMounts {
|
||||||
Type: mount.TypeBind,
|
if !strings.HasPrefix(m.Source, allowed) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
Source: m.Source,
|
log.WithFields(log.Fields{
|
||||||
Target: m.Target,
|
"server": d.Server.Uuid,
|
||||||
ReadOnly: m.ReadOnly,
|
"source": m.Source,
|
||||||
})
|
"target": m.Target,
|
||||||
|
"read_only": m.ReadOnly,
|
||||||
|
}).Debug("attaching mount to server's container")
|
||||||
|
mounts = append(mounts, mount.Mount{
|
||||||
|
Type: mount.TypeBind,
|
||||||
|
|
||||||
|
Source: m.Source,
|
||||||
|
Target: m.Target,
|
||||||
|
ReadOnly: m.ReadOnly,
|
||||||
|
})
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
hostConf := &container.HostConfig{
|
hostConf := &container.HostConfig{
|
||||||
|
|
Loading…
Reference in New Issue
Block a user