Skip to content

Commit b6a9dc3

Browse files
crosbymichaelcrosbymichael
committed
Mask reads from timer_stats and latency_stats
These files in /proc should not be able to be read as well as written to. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
1 parent 614a969 commit b6a9dc3

File tree

2 files changed

+24
-12
lines changed

2 files changed

+24
-12
lines changed

daemon/execdriver/native/template/default_template.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -82,16 +82,16 @@ func New() *configs.Config {
8282
},
8383
MaskPaths: []string{
8484
"/proc/kcore",
85+
"/proc/latency_stats",
86+
"/proc/timer_stats",
8587
},
8688
ReadonlyPaths: []string{
8789
"/proc/asound",
8890
"/proc/bus",
8991
"/proc/fs",
9092
"/proc/irq",
91-
"/proc/latency_stats",
9293
"/proc/sys",
9394
"/proc/sysrq-trigger",
94-
"/proc/timer_stats",
9595
},
9696
}
9797

integration-cli/docker_cli_run_test.go

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3458,20 +3458,32 @@ func TestRunWriteToProcAsound(t *testing.T) {
34583458
logDone("run - ro write to /proc/asound")
34593459
}
34603460

3461-
func TestRunWriteToProcTimer(t *testing.T) {
3461+
func TestRunReadProcTimer(t *testing.T) {
34623462
defer deleteAllContainers()
3463-
code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/timer_stats"))
3464-
if err == nil || code == 0 {
3465-
t.Fatal("standard container should not be able to write to /proc/timer_stats")
3463+
out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/timer_stats"))
3464+
if err != nil || code != 0 {
3465+
t.Fatal(err)
34663466
}
3467-
logDone("run - ro write to /proc/timer_stats")
3467+
if strings.Trim(out, "\n ") != "" {
3468+
t.Fatalf("expected to receive no output from /proc/timer_stats but received %q", out)
3469+
}
3470+
logDone("run - read /proc/timer_stats")
34683471
}
34693472

3470-
func TestRunWriteToProcLatency(t *testing.T) {
3473+
func TestRunReadProcLatency(t *testing.T) {
3474+
// some kernels don't have this configured so skip the test if this file is not found
3475+
// on the host running the tests.
3476+
if _, err := os.Stat("/proc/latency_stats"); err != nil {
3477+
t.Skip()
3478+
return
3479+
}
34713480
defer deleteAllContainers()
3472-
code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/latency_stats"))
3473-
if err == nil || code == 0 {
3474-
t.Fatal("standard container should not be able to write to /proc/latency_stats")
3481+
out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/latency_stats"))
3482+
if err != nil || code != 0 {
3483+
t.Fatal(err)
3484+
}
3485+
if strings.Trim(out, "\n ") != "" {
3486+
t.Fatalf("expected to receive no output from /proc/latency_stats but received %q", out)
34753487
}
3476-
logDone("run - ro write to /proc/latency_stats")
3488+
logDone("run - read /proc/latency_stats")
34773489
}

0 commit comments

Comments
 (0)