Merge pull request #1314 from runcom/overlay-mounts

libcontainer: rootfs_linux: support overlayfs
opencontainers · Feb 8, 2017 · a8d7eb7 · a8d7eb7
2 parents b263a43 + ca14e7b
commit a8d7eb7
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -313,6 +313,19 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 			}
 		}
 	default:
+		// ensure that the destination of the mount is resolved of symlinks at mount time because
+		// any previous mounts can invalidate the next mount's destination.
+		// this can happen when a user specifies mounts within other mounts to cause breakouts or other
+		// evil stuff to try to escape the container's rootfs.
+		var err error
+		if dest, err = symlink.FollowSymlinkInScope(filepath.Join(rootfs, m.Destination), rootfs); err != nil {
+			return err
+		}
+		if err := checkMountDestination(rootfs, dest); err != nil {
+			return err
+		}
+		// update the mount with the correct dest after symlinks are resolved.
+		m.Destination = dest
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}