You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/01 20:06:01 UTC
mesos git commit: Updated docker volume isolator to return non-shell
'pre_exec_commands'.
Repository: mesos
Updated Branches:
refs/heads/master 202e1933c -> ca5eaad82
Updated docker volume isolator to return non-shell 'pre_exec_commands'.
Review: https://reviews.apache.org/r/50535/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ca5eaad8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ca5eaad8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ca5eaad8
Branch: refs/heads/master
Commit: ca5eaad82f69309de427aab3ec2ed7976c9cc850
Parents: 202e193
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 13:05:53 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Mon Aug 1 13:05:53 2016 -0700
----------------------------------------------------------------------
.../mesos/isolators/docker/volume/isolator.cpp | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/ca5eaad8/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
index 70ea5ca..d10c424 100644
--- a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
+++ b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
@@ -491,9 +491,18 @@ Future<Option<ContainerLaunchInfo>> DockerVolumeIsolatorProcess::_prepare(
LOG(INFO) << "Mounting docker volume mount point '" << source
<< "' to '" << target << "' for container " << containerId;
- const string command = "mount -n --rbind '" + source + "' '" + target + "'";
-
- launchInfo.add_pre_exec_commands()->set_value(command);
+ // Launch mount command as a non-shell subprocess to avoid
+ // injecting arbitrary shell commands (e.g., user defined
+ // 'container_path' in volume can be postfixed with any
+ // unsafe arbitrary commands).
+ CommandInfo* command = launchInfo.add_pre_exec_commands();
+ command->set_shell(false);
+ command->set_value("mount");
+ command->add_arguments("mount");
+ command->add_arguments("-n");
+ command->add_arguments("--rbind");
+ command->add_arguments(source);
+ command->add_arguments(target);
}
return launchInfo;