55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From 3b24c397492b921ce00f9786c8f6dd22cf2bb420 Mon Sep 17 00:00:00 2001
|
|
From: zhangyu235 <zhangyu235@huawei.com>
|
|
Date: Fri, 18 Jan 2019 21:31:47 +0800
|
|
Subject: [PATCH 061/111] docker: check seccomp file size(max:10M)
|
|
before read into memory
|
|
|
|
reason:when seccomp file size is not limited, docker may result in memory OOM
|
|
|
|
Cherry-pick from docker 1.11.2:
|
|
- 3660784 check seccomp file size(max:10M) before read into memory
|
|
|
|
Change-Id: I6289b2e84e5aaf6d876e689c842f9d18acaf6814
|
|
Signed-off-by: xueshaojia <xueshaojia@huawei.com>
|
|
Signed-off-by: zhangyu235 <zhangyu235@huawei.com>
|
|
---
|
|
components/cli/cli/command/container/opts.go | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
|
|
index 8e07aa77cb..cbbc110f9c 100644
|
|
--- a/components/cli/cli/command/container/opts.go
|
|
+++ b/components/cli/cli/command/container/opts.go
|
|
@@ -5,6 +5,7 @@ import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
+ "os"
|
|
"path"
|
|
"regexp"
|
|
"strconv"
|
|
@@ -27,6 +28,8 @@ var (
|
|
deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
|
|
)
|
|
|
|
+const seccompFileMaxSize = 10 * 1024 * 1024
|
|
+
|
|
// containerOptions is a data object with all the options for creating a container
|
|
type containerOptions struct {
|
|
attach opts.ListOpts
|
|
@@ -726,6 +729,11 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
|
|
}
|
|
}
|
|
if con[0] == "seccomp" && con[1] != "unconfined" {
|
|
+ if fileInfo, err := os.Stat(con[1]); err != nil {
|
|
+ return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: %v", con[1], err)
|
|
+ } else if fileInfo.Size() > seccompFileMaxSize {
|
|
+ return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], seccompFileMaxSize/1024/1024)
|
|
+ }
|
|
f, err := ioutil.ReadFile(con[1])
|
|
if err != nil {
|
|
return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
|
|
--
|
|
2.17.1
|
|
|