Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: disallow volume mounts from host by default #9321

Merged
merged 1 commit into from
Nov 11, 2020
Merged

docker: disallow volume mounts from host by default #9321

merged 1 commit into from
Nov 11, 2020

Conversation

tgross
Copy link
Member

@tgross tgross commented Nov 11, 2020

Fixes #9303

The default behavior for docker.volumes.enabled is intended to be false,
but the HCL schema defaults to true if the value is unset. Set the default
literal value to true.

Additionally, Docker driver mounts of type "volume" (but not "bind") are not
being properly sandboxed with that setting. Disable Docker mounts with type
"volume" entirely whenever the docker.volumes.enabled flag is set to
false. Note this is unrelated to the volume_mount feature, which is
constrained to preconfigured host volumes or whatever is mounted by a CSI
plugin.

This changeset includes updates to unit tests that should have been failing
under the documented behavior but were not.

@tgross
docker: disallow volume mounts from host by default
c7a1724 
The default behavior for `docker.volumes.enabled` is intended to be `false`,
but the HCL schema defaults to `true` if the value is unset. Set the default
literal value to `true`.

Additionally, Docker driver mounts of type "volume" (but not "bind") are not
being properly sandboxed with that setting. Disable Docker mounts with type
"volume" entirely whenever the `docker.volumes.enabled` flag is set to
false. Note this is unrelated to the `volume_mount` feature, which is
constrained to preconfigured host volumes or whatever is mounted by a CSI
plugin.

This changeset includes updates to unit tests that should have been failing
under the documented behavior but were not.
@tgross tgross merged commit 306cfab into master Nov 11, 2020
@tgross tgross deleted the b-volume-mount-protection branch November 11, 2020 15:03
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@notnoop notnoop notnoop approved these changes

@schmichael schmichael Awaiting requested review from schmichael

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

file sandbox escape via container volume mount
2 participants
@tgross @notnoop