github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/volumes_linux.go

github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/volumes_linux.go (about)

     1  package daemon
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/docker/docker/api/types/mount"
     7  	"github.com/docker/docker/errdefs"
     8  	"github.com/pkg/errors"
     9  )
    10  
    11  // validateBindDaemonRoot ensures that if a given mountpoint's source is within
    12  // the daemon root path, that the propagation is setup to prevent a container
    13  // from holding private references to a mount within the daemon root, which
    14  // can cause issues when the daemon attempts to remove the mountpoint.
    15  func (daemon *Daemon) validateBindDaemonRoot(m mount.Mount) (bool, error) {
    16  	if m.Type != mount.TypeBind {
    17  		return false, nil
    18  	}
    19  
    20  	// check if the source is within the daemon root, or if the daemon root is within the source
    21  	if !strings.HasPrefix(m.Source, daemon.root) && !strings.HasPrefix(daemon.root, m.Source) {
    22  		return false, nil
    23  	}
    24  
    25  	if m.BindOptions == nil {
    26  		return true, nil
    27  	}
    28  
    29  	switch m.BindOptions.Propagation {
    30  	case mount.PropagationRSlave, mount.PropagationRShared, "":
    31  		return m.BindOptions.Propagation == "", nil
    32  	default:
    33  	}
    34  
    35  	return false, errdefs.InvalidParameter(errors.Errorf(`invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: %q, bind mount source: %q, propagation: %q`, daemon.root, m.Source, m.BindOptions.Propagation))
    36  }