chaos/drone-runner-podman
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

move restricted mount to helper function

Browse Source
This commit is contained in:
Brad Rydzewski
2020-08-17 23:17:20 -04:00
parent a8d9c659bf
commit fe9dece266
2 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
engine/compiler/compiler.go
View File

@@ -6,7 +6,6 @@ package compiler
import ( import (
"context" "context"
"path/filepath"
"strings" "strings"
"github.com/drone-runners/drone-runner-docker/engine" "github.com/drone-runners/drone-runner-docker/engine"
@@ -466,32 +465,7 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
// privileged-by-default mode is disabled if the // privileged-by-default mode is disabled if the
// pipeline step mounts a restricted volume. // pipeline step mounts a restricted volume.
for _, mount := range step.Volumes { for _, mount := range step.Volumes {
path, _ := filepath.Abs(mount.MountPath) if isRestrictedVolume(mount.MountPath) {
path = strings.ToLower(path)
switch {
case path == "/":
return false
case path == "/var":
return false
case strings.Contains(path, "/var/run"):
return false
case strings.Contains(path, "/proc"):
return false
case strings.Contains(path, "/mount"):
return false
case strings.Contains(path, "/bin"):
return false
case strings.Contains(path, "/usr/local/bin"):
return false
case strings.Contains(path, "/mnt"):
return false
case strings.Contains(path, "/media"):
return false
case strings.Contains(path, "/sys"):
return false
case strings.Contains(path, "/dev"):
return false
case strings.Contains(path, "/etc/docker"):
return false return false
} }
} }

25
engine/compiler/util.go
View File

@@ -5,6 +5,7 @@
package compiler package compiler
import ( import (
"path/filepath"
"strings" "strings"
"github.com/drone-runners/drone-runner-docker/engine" "github.com/drone-runners/drone-runner-docker/engine"
@@ -136,3 +137,27 @@ func convertPullPolicy(s string) engine.PullPolicy {
return engine.PullDefault return engine.PullDefault
} }
} }
// helper function returns true if mounting the volume
// is restricted for un-trusted containers.
func isRestrictedVolume(path string) bool {
path, _ = filepath.Abs(path)
path = strings.ToLower(path)
switch {
case path == "/":
case path == "/var":
case strings.Contains(path, "/var/run"):
case strings.Contains(path, "/proc"):
case strings.Contains(path, "/mount"):
case strings.Contains(path, "/bin"):
case strings.Contains(path, "/usr/local/bin"):
case strings.Contains(path, "/mnt"):
case strings.Contains(path, "/media"):
case strings.Contains(path, "/sys"):
case strings.Contains(path, "/dev"):
case strings.Contains(path, "/etc/docker"):
default:
return false
}
return true
}