chaos/drone-runner-podman
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

increase list of restricted volumes

Browse Source
This commit is contained in:
Brad Rydzewski
2020-08-17 23:10:46 -04:00
parent 8a8164e2de
commit a8d9c659bf
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
engine/compiler/compiler.go
View File

@@ -463,6 +463,8 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
if len(step.Entrypoint) > 0 { if len(step.Entrypoint) > 0 {
return false return false
} }
// privileged-by-default mode is disabled if the
// pipeline step mounts a restricted volume.
for _, mount := range step.Volumes { for _, mount := range step.Volumes {
path, _ := filepath.Abs(mount.MountPath) path, _ := filepath.Abs(mount.MountPath)
path = strings.ToLower(path) path = strings.ToLower(path)
@@ -473,6 +475,24 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
return false return false
case strings.Contains(path, "/var/run"): case strings.Contains(path, "/var/run"):
return false return false
case strings.Contains(path, "/proc"):
return false
case strings.Contains(path, "/mount"):
return false
case strings.Contains(path, "/bin"):
return false
case strings.Contains(path, "/usr/local/bin"):
return false
case strings.Contains(path, "/mnt"):
return false
case strings.Contains(path, "/media"):
return false
case strings.Contains(path, "/sys"):
return false
case strings.Contains(path, "/dev"):
return false
case strings.Contains(path, "/etc/docker"):
return false
} }
} }
// if the container image matches any image // if the container image matches any image