Add AllowedMounts configuration option, block any custom mounts if they are not in the AllowedMounts list

This commit is contained in:
Matthew Penner 2020-07-04 15:32:53 -06:00
parent 63e7bde39c
commit 3a6050446f
2 changed files with 23 additions and 8 deletions

View File

@ -80,6 +80,9 @@ type Configuration struct {
// The location where the panel is running that this daemon should connect to // The location where the panel is running that this daemon should connect to
// to collect data and send events. // to collect data and send events.
PanelLocation string `json:"remote" yaml:"remote"` PanelLocation string `json:"remote" yaml:"remote"`
// AllowedMounts .
AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
} }
// Defines the configuration of the internal SFTP server. // Defines the configuration of the internal SFTP server.

View File

@ -122,7 +122,7 @@ func (d *DockerEnvironment) InSituUpdate() error {
return errors.WithStack(err) return errors.WithStack(err)
} }
ctx, _ := context.WithTimeout(context.Background(), time.Second * 10) ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
u := container.UpdateConfig{ u := container.UpdateConfig{
Resources: d.getResourcesForServer(), Resources: d.getResourcesForServer(),
} }
@ -254,7 +254,7 @@ func (d *DockerEnvironment) Start() error {
return errors.WithStack(err) return errors.WithStack(err)
} }
ctx, _ := context.WithTimeout(context.Background(), time.Second * 10) ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
if err := d.Client.ContainerStart(ctx, d.Server.Uuid, types.ContainerStartOptions{}); err != nil { if err := d.Client.ContainerStart(ctx, d.Server.Uuid, types.ContainerStartOptions{}); err != nil {
return errors.WithStack(err) return errors.WithStack(err)
} }
@ -671,13 +671,25 @@ func (d *DockerEnvironment) Create() error {
} }
for _, m := range d.Server.Mounts { for _, m := range d.Server.Mounts {
mounts = append(mounts, mount.Mount{ for _, allowed := range config.Get().AllowedMounts {
Type: mount.TypeBind, if !strings.HasPrefix(m.Source, allowed) {
continue
}
Source: m.Source, log.WithFields(log.Fields{
Target: m.Target, "server": d.Server.Uuid,
ReadOnly: m.ReadOnly, "source": m.Source,
}) "target": m.Target,
"read_only": m.ReadOnly,
}).Debug("attaching mount to server's container")
mounts = append(mounts, mount.Mount{
Type: mount.TypeBind,
Source: m.Source,
Target: m.Target,
ReadOnly: m.ReadOnly,
})
}
} }
hostConf := &container.HostConfig{ hostConf := &container.HostConfig{