github.com/drone/runner-go@v1.12.0/container/volume.go

github.com/drone/runner-go@v1.12.0/container/volume.go (about)

     1  // Copyright 2021 Drone.IO Inc. All rights reserved.
     2  // Use of this source code is governed by the Polyform License
     3  // that can be found in the LICENSE file.
     4  
     5  package container
     6  
     7  import (
     8  	"path/filepath"
     9  	"strings"
    10  )
    11  
    12  // IsRestrictedVolume is helper function that
    13  // returns true if mounting the volume is restricted for un-trusted containers.
    14  func IsRestrictedVolume(path string) bool {
    15  	path, err := filepath.Abs(path)
    16  	if err != nil {
    17  		return true
    18  	}
    19  
    20  	path = strings.ToLower(path)
    21  
    22  	switch {
    23  	case path == "/":
    24  	case path == "/etc":
    25  	case path == "/etc/docker" || strings.HasPrefix(path, "/etc/docker/"):
    26  	case path == "/var":
    27  	case path == "/var/run" || strings.HasPrefix(path, "/var/run/"):
    28  	case path == "/proc" || strings.HasPrefix(path, "/proc/"):
    29  	case path == "/usr/local/bin" || strings.HasPrefix(path, "/usr/local/bin/"):
    30  	case path == "/usr/local/sbin" || strings.HasPrefix(path, "/usr/local/sbin/"):
    31  	case path == "/usr/bin" || strings.HasPrefix(path, "/usr/bin/"):
    32  	case path == "/bin" || strings.HasPrefix(path, "/bin/"):
    33  	case path == "/mnt" || strings.HasPrefix(path, "/mnt/"):
    34  	case path == "/mount" || strings.HasPrefix(path, "/mount/"):
    35  	case path == "/media" || strings.HasPrefix(path, "/media/"):
    36  	case path == "/sys" || strings.HasPrefix(path, "/sys/"):
    37  	case path == "/dev" || strings.HasPrefix(path, "/dev/"):
    38  	default:
    39  		return false
    40  	}
    41  
    42  	return true
    43  }