Add AllowedMounts configuration option, block any custom mounts if they are not in the AllowedMounts list

config/config.go

@@ -80,6 +80,9 @@ type Configuration struct {
 	// The location where the panel is running that this daemon should connect to
 	// to collect data and send events.
 	PanelLocation string `json:"remote" yaml:"remote"`
+
+	// AllowedMounts .
+	AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
 }
 
 // Defines the configuration of the internal SFTP server.

server/environment_docker.go

@@ -122,7 +122,7 @@ func (d *DockerEnvironment) InSituUpdate() error {
 		return errors.WithStack(err)
 	}
 
-	ctx, _ := context.WithTimeout(context.Background(), time.Second * 10)
+	ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
 	u := container.UpdateConfig{
 		Resources: d.getResourcesForServer(),
 	}
@@ -254,7 +254,7 @@ func (d *DockerEnvironment) Start() error {
 		return errors.WithStack(err)
 	}
 
-	ctx, _ := context.WithTimeout(context.Background(), time.Second * 10)
+	ctx, _ := context.WithTimeout(context.Background(), time.Second*10)
 	if err := d.Client.ContainerStart(ctx, d.Server.Uuid, types.ContainerStartOptions{}); err != nil {
 		return errors.WithStack(err)
 	}
@@ -671,13 +671,25 @@ func (d *DockerEnvironment) Create() error {
 	}
 
 	for _, m := range d.Server.Mounts {
-		mounts = append(mounts, mount.Mount{
+		for _, allowed := range config.Get().AllowedMounts {
-			Type: mount.TypeBind,
+			if !strings.HasPrefix(m.Source, allowed) {
+				continue
+			}
 
-			Source:   m.Source,
+			log.WithFields(log.Fields{
-			Target:   m.Target,
+				"server":    d.Server.Uuid,
-			ReadOnly: m.ReadOnly,
+				"source":    m.Source,
-		})
+				"target":    m.Target,
+				"read_only": m.ReadOnly,
+			}).Debug("attaching mount to server's container")
+			mounts = append(mounts, mount.Mount{
+				Type: mount.TypeBind,
+
+				Source:   m.Source,
+				Target:   m.Target,
+				ReadOnly: m.ReadOnly,
+			})
+		}
 	}
 
 	hostConf := &container.HostConfig{