reduce restricted volume false positives

2021-01-08 10:32:39 -05:00
parent 77684a5864
commit ea74fa2ba4
2 changed files with 31 additions and 11 deletions
--- a/engine/compiler/util.go
+++ b/engine/compiler/util.go
@@ -147,18 +147,18 @@ func isRestrictedVolume(path string) bool {
 	case path == "/":
 	case path == "/var":
 	case path == "/etc":
-	case strings.Contains(path, "/var/run"):
-	case strings.Contains(path, "/proc"):
-	case strings.Contains(path, "/mount"):
-	case strings.Contains(path, "/bin"):
-	case strings.Contains(path, "/usr/local/bin"):
-	case strings.Contains(path, "/usr/local/sbin"):
-	case strings.Contains(path, "/usr/bin"):
-	case strings.Contains(path, "/mnt"):
-	case strings.Contains(path, "/media"):
+	case strings.HasPrefix(path, "/var/run"):
+	case strings.HasPrefix(path, "/proc"):
+	case strings.HasPrefix(path, "/mount"):
+	case strings.HasPrefix(path, "/bin"):
+	case strings.HasPrefix(path, "/usr/local/bin"):
+	case strings.HasPrefix(path, "/usr/local/sbin"):
+	case strings.HasPrefix(path, "/usr/bin"):
+	case strings.HasPrefix(path, "/mnt"):
+	case strings.HasPrefix(path, "/media"):
 	case strings.Contains(path, "/sys"):
-	case strings.Contains(path, "/dev"):
-	case strings.Contains(path, "/etc/docker"):
+	case strings.HasPrefix(path, "/dev"):
+	case strings.HasPrefix(path, "/etc/docker"):
 	default:
 		return false
 	}