From 3b24c397492b921ce00f9786c8f6dd22cf2bb420 Mon Sep 17 00:00:00 2001 From: zhangyu235 Date: Fri, 18 Jan 2019 21:31:47 +0800 Subject: [PATCH 061/111] docker: check seccomp file size(max:10M) before read into memory reason:when seccomp file size is not limited, docker may result in memory OOM Cherry-pick from docker 1.11.2: - 3660784 check seccomp file size(max:10M) before read into memory Change-Id: I6289b2e84e5aaf6d876e689c842f9d18acaf6814 Signed-off-by: xueshaojia Signed-off-by: zhangyu235 --- components/cli/cli/command/container/opts.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go index 8e07aa77cb..cbbc110f9c 100644 --- a/components/cli/cli/command/container/opts.go +++ b/components/cli/cli/command/container/opts.go @@ -5,6 +5,7 @@ import ( "encoding/json" "fmt" "io/ioutil" + "os" "path" "regexp" "strconv" @@ -27,6 +28,8 @@ var ( deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`) ) +const seccompFileMaxSize = 10 * 1024 * 1024 + // containerOptions is a data object with all the options for creating a container type containerOptions struct { attach opts.ListOpts @@ -726,6 +729,11 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) { } } if con[0] == "seccomp" && con[1] != "unconfined" { + if fileInfo, err := os.Stat(con[1]); err != nil { + return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: %v", con[1], err) + } else if fileInfo.Size() > seccompFileMaxSize { + return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], seccompFileMaxSize/1024/1024) + } f, err := ioutil.ReadFile(con[1]) if err != nil { return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", con[1], err) -- 2.17.1