zhang2587341450
2024 年 12 月 24 日
iKuai 的新版 docker 做了限制
- 对新建的容器执行挂载路径检查,只允许在/etc/disk_user 目录下,也就是 web 上面的目录,发现跨目录,直接 false 掉,无法新建
__check_srcpath()
{
local ROOT_PATH="/etc/disk_user"
local srcpaths="$1"
for path_dir in ${srcpaths//,/ }; do
local path_dir=${path_dir//:*/}
if [ "$path_dir" = "/" ]; then
echo "$path_dir not found"
return 1
fi
local tmp_dir=${path_dir//\.\./}
if [ "$tmp_dir" != "$path_dir" ]; then
echo "$path_dir not found"
return 1
fi
local abs_path="${ROOT_PATH}${path_dir}"
if [ ! -e "$abs_path" ]; then
echo "$path_dir not found"
return 1
fi
local dir_arry=(${path_dir//\// })
local hardlink=$(readlink ${ROOT_PATH}/${dir_arry[0]})
if [ ! -d "$hardlink" ]; then
echo "$path_dir not found"
return 1
fi
local i=0
for dir_one in ${dir_arry[*]}; do
i=$((i+1))
[ "$i" = "1" ] && continue
hardlink+="/$dir_one"
done
if [ ! -e "$hardlink" ]; then
echo "$path_dir not found"
return 1
fi
done
}
- 对原有 Docker 容器的配置文件进行挂载路径检查,发现源路径异常后修改配置文件,取消所有挂载点
__check_config_json()
{
local config_path="$work_path/lib/containers"
for config_one in $(ls $config_path); do
local config_path_one="$config_path/$config_one/config.v2.json"
for mount_one in $(cat $config_path_one |jq .MountPoints|grep "\"Source\"": | awk '{print $2}');
do
[ "$mount_one" ] || continue
local invalid=0
if [ "${mount_one:1:15}" != "/etc/disk_user/" ]; then
invalid=1
fi
if [ "${mount_one//\.\./}" != "$mount_one" ]; then
invalid=1
fi
if [ "$invalid" = "1" ]; then
chattr -i $config_path_one
chattr -a $config_path_one
cat $config_path_one | jq '.MountPoints = {}' > /tmp/config.$$
mv /tmp/config.$$ $config_path_one
fi
done
done
}