Add AllowedMounts configuration option, block any custom mounts if they are not in the AllowedMounts list

This commit is contained in:
Matthew Penner 2020-07-04 15:32:53 -06:00
parent 63e7bde39c
commit 3a6050446f
2 changed files with 23 additions and 8 deletions

View File

@ -80,6 +80,9 @@ type Configuration struct {
// The location where the panel is running that this daemon should connect to
// to collect data and send events.
PanelLocation string `json:"remote" yaml:"remote"`
// AllowedMounts .
AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
}
// Defines the configuration of the internal SFTP server.

View File

@ -671,6 +671,17 @@ func (d *DockerEnvironment) Create() error {
}
for _, m := range d.Server.Mounts {
for _, allowed := range config.Get().AllowedMounts {
if !strings.HasPrefix(m.Source, allowed) {
continue
}
log.WithFields(log.Fields{
"server": d.Server.Uuid,
"source": m.Source,
"target": m.Target,
"read_only": m.ReadOnly,
}).Debug("attaching mount to server's container")
mounts = append(mounts, mount.Mount{
Type: mount.TypeBind,
@ -679,6 +690,7 @@ func (d *DockerEnvironment) Create() error {
ReadOnly: m.ReadOnly,
})
}
}
hostConf := &container.HostConfig{
PortBindings: d.portBindings(),