From b61144a93d9306624378a93944d0a08c60436554 Mon Sep 17 00:00:00 2001 From: Eric Yang Date: Fri, 20 Oct 2017 12:02:06 -0400 Subject: [PATCH] YARN-7353. Improved volume mount check for directories and unit test compatibility on RHEL7. Contributed by Eric Badger. --- .../impl/utils/docker-util.c | 5 +- .../test/utils/test_docker_util.cc | 103 +++++++++--------- 2 files changed, 55 insertions(+), 53 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 860320d907..e8e2b9e9aa 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -687,8 +687,9 @@ static int check_mount_permitted(const char **permitted_mounts, const char *requ } // directory check permitted_mount_len = strlen(permitted_mounts[i]); - if (permitted_mount_len > 0 - && permitted_mounts[i][permitted_mount_len - 1] == '/') { + struct stat path_stat; + stat(permitted_mounts[i], &path_stat); + if(S_ISDIR(path_stat.st_mode)) { if (strncmp(normalized_path, permitted_mounts[i], permitted_mount_len) == 0) { ret = 1; break; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index c627ca84e4..c42cd787ef 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -429,13 +429,14 @@ namespace ContainerExecutor { } TEST_F(TestDockerUtil, test_check_mount_permitted) { - const char *permitted_mounts[] = {"/usr/", "/bin/ls", NULL}; + const char *permitted_mounts[] = {"/etc", "/usr/bin/touch", "/tmp/", NULL}; std::vector > test_data; - test_data.push_back(std::make_pair("/usr", 1)); - test_data.push_back(std::make_pair("/usr/", 1)); - test_data.push_back(std::make_pair("/bin/ls", 1)); - test_data.push_back(std::make_pair("//bin/", 0)); - test_data.push_back(std::make_pair("/tmp/random-file", -1)); + test_data.push_back(std::make_pair("/etc", 1)); + test_data.push_back(std::make_pair("/etc/", 1)); + test_data.push_back(std::make_pair("/etc/passwd", 1)); + test_data.push_back(std::make_pair("/usr/bin/touch", 1)); + test_data.push_back(std::make_pair("//usr/", 0)); + test_data.push_back(std::make_pair("/etc/random-file", -1)); std::vector >::const_iterator itr; for (itr = test_data.begin(); itr != test_data.end(); ++itr) { @@ -446,8 +447,8 @@ namespace ContainerExecutor { TEST_F(TestDockerUtil, test_normalize_mounts) { const int entries = 4; - const char *permitted_mounts[] = {"/home", "/usr", "/bin/ls", NULL}; - const char *expected[] = {"/home/", "/usr/", "/bin/ls", NULL}; + const char *permitted_mounts[] = {"/home", "/etc", "/usr/bin/touch", NULL}; + const char *expected[] = {"/home/", "/etc/", "/usr/bin/touch", NULL}; char **ptr = static_cast(malloc(entries * sizeof(char *))); for (int i = 0; i < entries; ++i) { if (permitted_mounts[i] != NULL) { @@ -659,22 +660,19 @@ namespace ContainerExecutor { const int buff_len = 1024; char buff[buff_len]; int ret = 0; - std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/usr,/var,/bin/ls,..\n " - "docker.allowed.ro-mounts=/bin/cat"; + std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/opt,/var,/usr/bin/touch,..\n " + "docker.allowed.ro-mounts=/etc/passwd"; std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n rw-mounts=/var:/var", "-v '/var:/var' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n rw-mounts=/var/:/var/", "-v '/var/:/var/' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr:/usr", "-v '/usr:/usr' ")); + "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin/touch:/usr/bin/touch", + "-v '/usr/bin/touch:/usr/bin/touch' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/:/usr", "-v '/usr/:/usr' ")); - file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/bin/ls:/bin/ls", "-v '/bin/ls:/bin/ls' ")); - file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin:/mydisk1,/var/log/:/mydisk2", - "-v '/usr/bin:/mydisk1' -v '/var/log/:/mydisk2' ")); + "[docker-command-execution]\n docker-command=run\n rw-mounts=/opt:/mydisk1,/var/log/:/mydisk2", + "-v '/opt:/mydisk1' -v '/var/log/:/mydisk2' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n", "")); write_container_executor_cfg(container_executor_cfg_contents); @@ -705,10 +703,10 @@ namespace ContainerExecutor { std::vector > bad_file_cmds_vec; bad_file_cmds_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/home:/home", + "[docker-command-execution]\n docker-command=run\n rw-mounts=/lib:/lib", static_cast(INVALID_DOCKER_RW_MOUNT))); bad_file_cmds_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n rw-mounts=/bin/cat:/bin/cat", + "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin/:/usr/bin", static_cast(INVALID_DOCKER_RW_MOUNT))); bad_file_cmds_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n rw-mounts=/blah:/blah", @@ -768,27 +766,30 @@ namespace ContainerExecutor { const int buff_len = 1024; char buff[buff_len]; int ret = 0; - std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/usr,/var,/bin/ls\n " - "docker.allowed.ro-mounts=/bin/cat,/bin/ln"; + + std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/home/,/var,/usr/bin/touch,..\n " + "docker.allowed.ro-mounts=/etc/passwd,/etc/group"; std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n ro-mounts=/var:/var", "-v '/var:/var:ro' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n ro-mounts=/var/:/var/", "-v '/var/:/var/:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr:/usr", "-v '/usr:/usr:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/home:/home", "-v '/home:/home:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/:/usr", "-v '/usr/:/usr:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/home/:/home", "-v '/home/:/home:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/ls:/bin/ls", "-v '/bin/ls:/bin/ls:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/bin/touch:/usr/bin/touch", + "-v '/usr/bin/touch:/usr/bin/touch:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/ln:/bin/ln", "-v '/bin/ln:/bin/ln:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc/group:/etc/group", + "-v '/etc/group:/etc/group:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/cat:/bin/cat", - "-v '/bin/cat:/bin/cat:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc/passwd:/etc/passwd", + "-v '/etc/passwd:/etc/passwd:ro' ")); file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/bin:/mydisk1,/bin/cat:/bin/cat", - "-v '/usr/bin:/mydisk1:ro' -v '/bin/cat:/bin/cat:ro' ")); + "[docker-command-execution]\n docker-command=run\n ro-mounts=/var/log:/mydisk1,/etc/passwd:/etc/passwd", + "-v '/var/log:/mydisk1:ro' -v '/etc/passwd:/etc/passwd:ro' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n", "")); write_container_executor_cfg(container_executor_cfg_contents); @@ -819,7 +820,7 @@ namespace ContainerExecutor { std::vector > bad_file_cmds_vec; bad_file_cmds_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n ro-mounts=/home:/home", + "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc:/etc", static_cast(INVALID_DOCKER_RO_MOUNT))); bad_file_cmds_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n ro-mounts=/blah:/blah", @@ -855,7 +856,7 @@ namespace ContainerExecutor { TEST_F(TestDockerUtil, test_docker_run_privileged) { - std::string container_executor_contents = "[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n" + std::string container_executor_contents = "[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n" " docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n " " docker.privileged-containers.enabled=1\n docker.allowed.capabilities=CHOWN,SETUID\n" " docker.allowed.devices=/dev/test"; @@ -882,36 +883,36 @@ namespace ContainerExecutor { file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash' " "'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash'" " 'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' " "'bash' 'test_script.sh' 'arg1' 'arg2' ")); @@ -919,12 +920,12 @@ namespace ContainerExecutor { file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --group-add '1000' --group-add '1001' " "--device='/dev/test:/dev/test' 'docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); @@ -945,7 +946,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/var/log:/var/log\n" + " ro-mounts=/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/var/log:/var/log\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", @@ -955,7 +956,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/bin:/bin,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/bin:/bin,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", @@ -965,7 +966,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", @@ -975,7 +976,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", @@ -985,7 +986,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", @@ -996,11 +997,11 @@ namespace ContainerExecutor { TEST_F(TestDockerUtil, test_docker_run_no_privileged) { - std::string container_executor_contents[] = {"[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n" + std::string container_executor_contents[] = {"[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n" " docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n " " docker.allowed.capabilities=CHOWN,SETUID\n" " docker.allowed.devices=/dev/test", - "[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n" + "[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n" " docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n " " docker.allowed.capabilities=CHOWN,SETUID\n" " privileged=0\n" @@ -1029,24 +1030,24 @@ namespace ContainerExecutor { file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash' " "'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" - " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " + " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash'" " 'test_script.sh' 'arg1' 'arg2' ")); @@ -1054,7 +1055,7 @@ namespace ContainerExecutor { bad_file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" - " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n" + " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2",