move restricted mount to helper function
This commit is contained in:
Brad Rydzewski
@@ -5,6 +5,7 @@
|
||||
package compiler
|
||||
|
||||
import (
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/drone-runners/drone-runner-docker/engine"
|
||||
@@ -136,3 +137,27 @@ func convertPullPolicy(s string) engine.PullPolicy {
|
||||
return engine.PullDefault
|
||||
}
|
||||
}
|
||||
|
||||
// helper function returns true if mounting the volume
|
||||
// is restricted for un-trusted containers.
|
||||
func isRestrictedVolume(path string) bool {
|
||||
path, _ = filepath.Abs(path)
|
||||
path = strings.ToLower(path)
|
||||
switch {
|
||||
case path == "/":
|
||||
case path == "/var":
|
||||
case strings.Contains(path, "/var/run"):
|
||||
case strings.Contains(path, "/proc"):
|
||||
case strings.Contains(path, "/mount"):
|
||||
case strings.Contains(path, "/bin"):
|
||||
case strings.Contains(path, "/usr/local/bin"):
|
||||
case strings.Contains(path, "/mnt"):
|
||||
case strings.Contains(path, "/media"):
|
||||
case strings.Contains(path, "/sys"):
|
||||
case strings.Contains(path, "/dev"):
|
||||
case strings.Contains(path, "/etc/docker"):
|
||||
default:
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user