github.com/rawahars/moby@v24.0.4+incompatible/daemon/volumes_linux.go (about) 1 package daemon 2 3 import ( 4 "strings" 5 6 "github.com/docker/docker/api/types/mount" 7 "github.com/docker/docker/errdefs" 8 "github.com/pkg/errors" 9 ) 10 11 // validateBindDaemonRoot ensures that if a given mountpoint's source is within 12 // the daemon root path, that the propagation is setup to prevent a container 13 // from holding private references to a mount within the daemon root, which 14 // can cause issues when the daemon attempts to remove the mountpoint. 15 func (daemon *Daemon) validateBindDaemonRoot(m mount.Mount) (bool, error) { 16 if m.Type != mount.TypeBind { 17 return false, nil 18 } 19 20 // check if the source is within the daemon root, or if the daemon root is within the source 21 if !strings.HasPrefix(m.Source, daemon.root) && !strings.HasPrefix(daemon.root, m.Source) { 22 return false, nil 23 } 24 25 if m.BindOptions == nil { 26 return true, nil 27 } 28 29 switch m.BindOptions.Propagation { 30 case mount.PropagationRSlave, mount.PropagationRShared, "": 31 return m.BindOptions.Propagation == "", nil 32 default: 33 } 34 35 return false, errdefs.InvalidParameter(errors.Errorf(`invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: %q, bind mount source: %q, propagation: %q`, daemon.root, m.Source, m.BindOptions.Propagation)) 36 }