Use IsRestrictedVolume from runner-go

engine/compiler/compiler.go

@@ -14,6 +14,7 @@ import (
 	"github.com/drone-runners/drone-runner-docker/internal/docker/image"
 
 	"github.com/drone/runner-go/clone"
+	"github.com/drone/runner-go/container"
 	"github.com/drone/runner-go/environ"
 	"github.com/drone/runner-go/environ/provider"
 	"github.com/drone/runner-go/labels"
@@ -131,7 +132,7 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti
 
 	// reset the workspace path if attempting to mount
 	// volumes that are internal use only.
-	if isRestrictedVolume(full) {
+	if container.IsRestrictedVolume(full) {
 		base = "/drone/src"
 		path = ""
 		full = "/drone/src"
@@ -551,7 +552,7 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
 	// internal use only.
 	// note: this is deprecated.
 	for _, mount := range step.Volumes {
-		if isRestrictedVolume(mount.MountPath) {
+		if container.IsRestrictedVolume(mount.MountPath) {
 			return false
 		}
 	}

engine/compiler/util.go

@@ -5,11 +5,11 @@
 package compiler
 
 import (
-	"path/filepath"
 	"strings"
 
 	"github.com/drone-runners/drone-runner-docker/engine"
 	"github.com/drone-runners/drone-runner-docker/engine/resource"
+
 	"github.com/drone/drone-go/drone"
 	"github.com/drone/runner-go/manifest"
 )
@@ -138,33 +138,6 @@ func convertPullPolicy(s string) engine.PullPolicy {
 	}
 }
 
-// helper function returns true if mounting the volume
-// is restricted for un-trusted containers.
-func isRestrictedVolume(path string) bool {
-	path, _ = filepath.Abs(path)
-	path = strings.ToLower(path)
-	switch {
-	case path == "/":
-	case path == "/var":
-	case path == "/etc":
-	case strings.HasPrefix(path, "/var/run"):
-	case strings.HasPrefix(path, "/proc"):
-	case strings.HasPrefix(path, "/mount"):
-	case strings.HasPrefix(path, "/bin"):
-	case strings.HasPrefix(path, "/usr/local/bin"):
-	case strings.HasPrefix(path, "/usr/local/sbin"):
-	case strings.HasPrefix(path, "/usr/bin"):
-	case strings.HasPrefix(path, "/mnt"):
-	case strings.HasPrefix(path, "/media"):
-	case strings.HasPrefix(path, "/sys"):
-	case strings.HasPrefix(path, "/dev"):
-	case strings.HasPrefix(path, "/etc/docker"):
-	default:
-		return false
-	}
-	return true
-}
-
 // helper function returns true if the environment variable
 // is restricted for internal-use only.
 func isRestrictedVariable(env map[string]*manifest.Variable) bool {

engine/compiler/util_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/drone-runners/drone-runner-docker/engine"
 	"github.com/drone-runners/drone-runner-docker/engine/resource"
+
 	"github.com/drone/runner-go/manifest"
 
 	"github.com/google/go-cmp/cmp"
@@ -198,23 +199,3 @@ func Test_removeCloneDeps_CloneEnabled(t *testing.T) {
 		t.Log(diff)
 	}
 }
-
-func TestIsRestricedVolume(t *testing.T) {
-	tests := map[string]bool{
-		"/var/run":         true,
-		"//var/run":        true,
-		"/var/run/":        true,
-		"/var/run/.":       true,
-		"/var/run//":       true,
-		"/var/run/test/..": true,
-		"/var/./run":       true,
-		"/":                true,
-		"/drone":           false,
-		"/drone/var/run":   false,
-	}
-	for path, ok := range tests {
-		if got, want := isRestrictedVolume(path), ok; got != want {
-			t.Errorf("Want restriced %v for path %q", want, path)
-		}
-	}
-}