Skip to content

Commit 96ad6f9

Browse files
criylecriyle
committed
container: add ability to mask path
1 parent 5a79fa2 commit 96ad6f9

File tree

5 files changed

+65
-30
lines changed

5 files changed

+65
-30
lines changed

env/env_linux.go

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -31,32 +31,38 @@ func NewBuilder(c Config) (pool.EnvBuilder, error) {
3131
c.Info("Created tmp dir for container root at:", root)
3232

3333
var (
34-
mb *mount.Builder
35-
sym []container.SymbolicLink
34+
mountBuilder *mount.Builder
35+
symbolicLinks []container.SymbolicLink
36+
maskPaths []string
3637
)
3738
mc, err := readMountConfig(c.MountConf)
3839
if err != nil {
3940
if !os.IsNotExist(err) {
4041
return nil, err
4142
}
4243
c.Info("Mount.yaml(", c.MountConf, ") does not exists, use the default container mount")
43-
mb = getDefaultMount(c.TmpFsParam)
44+
mountBuilder = getDefaultMount(c.TmpFsParam)
4445
} else {
45-
mb, err = parseMountConfig(mc)
46+
mountBuilder, err = parseMountConfig(mc)
4647
if err != nil {
4748
return nil, err
4849
}
4950
}
5051
if mc != nil && len(mc.SymLinks) > 0 {
51-
sym = make([]container.SymbolicLink, 0, len(mc.SymLinks))
52+
symbolicLinks = make([]container.SymbolicLink, 0, len(mc.SymLinks))
5253
for _, l := range mc.SymLinks {
53-
sym = append(sym, container.SymbolicLink{LinkPath: l.LinkPath, Target: l.Target})
54+
symbolicLinks = append(symbolicLinks, container.SymbolicLink{LinkPath: l.LinkPath, Target: l.Target})
5455
}
5556
} else {
56-
sym = defaultSymLinks
57+
symbolicLinks = defaultSymLinks
5758
}
58-
m := mb.FilterNotExist().Mounts
59-
c.Info("Created container mount at:", mb)
59+
if mc != nil && len(mc.MaskPaths) > 0 {
60+
maskPaths = mc.MaskPaths
61+
} else {
62+
maskPaths = defaultMaskPaths
63+
}
64+
m := mountBuilder.FilterNotExist().Mounts
65+
c.Info("Created container mount at:", mountBuilder)
6066

6167
seccomp, err := readSeccompConf(c.SeccompConf)
6268
if err != nil {
@@ -99,7 +105,8 @@ func NewBuilder(c Config) (pool.EnvBuilder, error) {
99105
b := &container.Builder{
100106
Root: root,
101107
Mounts: m,
102-
SymbolicLinks: sym,
108+
SymbolicLinks: symbolicLinks,
109+
MaskPaths: maskPaths,
103110
CredGenerator: credGen,
104111
Stderr: os.Stderr,
105112
CloneFlags: unshareFlags,

env/mount_linux.go

Lines changed: 23 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,14 +28,15 @@ type Link struct {
2828

2929
// Mounts defines mount points for the container.
3030
type Mounts struct {
31-
Mount []Mount `yaml:"mount"`
32-
SymLinks []Link `yaml:"symLink"`
33-
WorkDir string `yaml:"workDir"`
34-
HostName string `yaml:"hostName"`
35-
DomainName string `yaml:"domainName"`
36-
UID int `yaml:"uid"`
37-
GID int `yaml:"gid"`
38-
Proc bool `yaml:"proc"`
31+
Mount []Mount `yaml:"mount"`
32+
SymLinks []Link `yaml:"symLink"`
33+
MaskPaths []string `yaml:"maskPath"`
34+
WorkDir string `yaml:"workDir"`
35+
HostName string `yaml:"hostName"`
36+
DomainName string `yaml:"domainName"`
37+
UID int `yaml:"uid"`
38+
GID int `yaml:"gid"`
39+
Proc bool `yaml:"proc"`
3940
}
4041

4142
func readMountConfig(p string) (*Mounts, error) {
@@ -121,3 +122,17 @@ var defaultSymLinks = []container.SymbolicLink{
121122
{LinkPath: "/dev/stdout", Target: "/proc/self/fd/1"},
122123
{LinkPath: "/dev/stderr", Target: "/proc/self/fd/2"},
123124
}
125+
126+
var defaultMaskPaths = []string{
127+
"/proc/acpi",
128+
"/proc/asound",
129+
"/proc/kcore",
130+
"/proc/keys",
131+
"/proc/latency_stats",
132+
"/proc/timer_list",
133+
"/proc/timer_stats",
134+
"/proc/sched_debug",
135+
"/proc/scsi",
136+
"/usr/lib/wsl/drivers",
137+
"/usr/lib/wsl/lib",
138+
}

go.mod

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,12 @@ go 1.17
44

55
require (
66
github.com/creack/pty v1.1.17
7-
github.com/criyle/go-sandbox v0.8.10
7+
github.com/criyle/go-sandbox v0.8.11
88
github.com/elastic/go-seccomp-bpf v1.2.0
99
github.com/elastic/go-ucfg v0.8.4
1010
github.com/gin-contrib/pprof v1.3.0
1111
github.com/gin-contrib/zap v0.0.1
12-
github.com/gin-gonic/gin v1.7.4
12+
github.com/gin-gonic/gin v1.7.7
1313
github.com/golang/protobuf v1.5.2
1414
github.com/gorilla/websocket v1.4.2
1515
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
@@ -19,9 +19,9 @@ require (
1919
github.com/zsais/go-gin-prometheus v0.1.0
2020
go.uber.org/zap v1.19.1
2121
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871
22-
golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4
22+
golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9
2323
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
24-
golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1
24+
golang.org/x/sys v0.0.0-20211124211545-fe61309f8881
2525
google.golang.org/grpc v1.42.0
2626
google.golang.org/protobuf v1.27.1
2727
gopkg.in/yaml.v2 v2.4.0

go.sum

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
6969
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
7070
github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
7171
github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
72-
github.com/criyle/go-sandbox v0.8.10 h1:iw5zI5YAEDlhBBDtJdiFoILMcuYQWnbj3CGA8ErWdVg=
73-
github.com/criyle/go-sandbox v0.8.10/go.mod h1:ficIk6tNwu96V8MdfJnGaM7GeXuU+PMILAkq7RPQPuQ=
72+
github.com/criyle/go-sandbox v0.8.11 h1:j37dLBCNRTCCBNPLerpOxgV1dFx4ioZdbFYArLghkas=
73+
github.com/criyle/go-sandbox v0.8.11/go.mod h1:Zo9IpOfqD5BpsZUcrGDjV7DedILcOkfcRL+diW9TYGo=
7474
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
7575
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
7676
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -99,8 +99,8 @@ github.com/gin-contrib/zap v0.0.1 h1:wsX/ahRftxPiXpiUw0YqyHj+TQTKtv+DAFWH84G1Uvg
9999
github.com/gin-contrib/zap v0.0.1/go.mod h1:vJJndZ8f44gsTHQrDPIB4YOZzwOwiEIdE0mMrZLOogk=
100100
github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do=
101101
github.com/gin-gonic/gin v1.6.2/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
102-
github.com/gin-gonic/gin v1.7.4 h1:QmUZXrvJ9qZ3GfWvQ+2wnW/1ePrTEJqPKMYEU3lD/DM=
103-
github.com/gin-gonic/gin v1.7.4/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
102+
github.com/gin-gonic/gin v1.7.7 h1:3DoBmSbJbZAWqXJC3SLjAPfutPJJRN1U5pALB7EeTTs=
103+
github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
104104
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
105105
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
106106
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -394,8 +394,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
394394
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
395395
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
396396
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
397-
golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4 h1:DZshvxDdVoeKIbudAdFEKi+f70l51luSy/7b76ibTY0=
398-
golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
397+
golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9 h1:0qxwC5n+ttVOINCBeRHO0nq9X7uy8SDsPoi5OaCdIEI=
398+
golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
399399
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
400400
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
401401
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -460,8 +460,8 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc
460460
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
461461
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
462462
golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
463-
golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1 h1:kwrAHlwJ0DUBZwQ238v+Uod/3eZ8B2K5rYsUHBQvzmI=
464-
golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
463+
golang.org/x/sys v0.0.0-20211124211545-fe61309f8881 h1:TyHqChC80pFkXWraUUf6RuB5IqFdQieMLwwCJokV2pc=
464+
golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
465465
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
466466
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
467467
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

mount.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,19 @@ symLink:
8282
target: /proc/self/fd/1
8383
- linkPath: /dev/stderr
8484
target: /proc/self/fd/2
85+
# mask mounted paths with empty / null mount
86+
maskPath:
87+
- /proc/acpi
88+
- /proc/asound
89+
- /proc/kcore
90+
- /proc/keys
91+
- /proc/latency_stats
92+
- /proc/timer_list
93+
- /proc/timer_stats
94+
- /proc/sched_debug
95+
- /proc/scsi
96+
- /usr/lib/wsl/drivers
97+
- /usr/lib/wsl/lib
8598
# container work directory
8699
workDir: /w
87100
# container host name

0 commit comments

Comments
 (0)