Skip to content

Commit b63a072

Browse files
TBBleTBBle
committed
Reject non-empty ContainerPath and CgroupPermissions
Since we don't use their content, it's better to fail than to ignore them, so that users get useful feedback rather than silent surprises. Signed-off-by: Paul "TBBle" Hampson <[email protected]>
1 parent 6ad361f commit b63a072

3 files changed

Lines changed: 26 additions & 0 deletions

File tree

daemon/oci_windows.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -462,6 +462,14 @@ func setupWindowsDevices(devices []containertypes.DeviceMapping, isHyperV bool)
462462
}
463463

464464
for _, deviceMapping := range devices {
465+
if deviceMapping.PathInContainer != "" {
466+
return nil, errors.Errorf("device container path: '%s' should be empty", deviceMapping.PathInContainer)
467+
}
468+
469+
if deviceMapping.CgroupPermissions != "" {
470+
return nil, errors.Errorf("device cgroup permissions: '%s' must be empty", deviceMapping.CgroupPermissions)
471+
}
472+
465473
srcParts := strings.SplitN(deviceMapping.PathOnHost, "/", 2)
466474
if len(srcParts) != 2 {
467475
return nil, errors.New("invalid device assignment path")

daemon/oci_windows_test.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -331,6 +331,20 @@ func TestSetupWindowsDevices(t *testing.T) {
331331
assert.Equal(t, len(devices), 0)
332332
})
333333

334+
t.Run("it fails if any devices have PathInContainer and HyperV is disabled", func(t *testing.T) {
335+
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything", PathInContainer: "somepath"}, {PathOnHost: "class/goes"}}, false)
336+
assert.ErrorContains(t, err, "device container path")
337+
assert.ErrorContains(t, err, "somepath")
338+
assert.Equal(t, len(devices), 0)
339+
})
340+
341+
t.Run("it fails if any devices have CgroupPermissions and HyperV is disabled", func(t *testing.T) {
342+
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything", CgroupPermissions: "somepermissions"}, {PathOnHost: "class/goes"}}, false)
343+
assert.ErrorContains(t, err, "device cgroup permissions")
344+
assert.ErrorContains(t, err, "somepermissions")
345+
assert.Equal(t, len(devices), 0)
346+
})
347+
334348
t.Run("it fails if any devices are blank and HyperV is disabled", func(t *testing.T) {
335349
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: ""}}, false)
336350
assert.ErrorContains(t, err, "invalid device assignment path")

docs/api/version-history.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,10 @@ keywords: "API, Docker, rcli, REST, documentation"
5050
if they are not set.
5151
* `GET /info` now omits the `KernelMemory` and `KernelMemoryTCP` if they are not
5252
supported by the host or host's configuration (if cgroups v2 are in use).
53+
* `POST /containers/create` for Windows containers now rejects non-empty values in
54+
`HostConfig.Resources.Devices.PathInContainer` and
55+
`HostConfig.Resources.Devices.CgroupPermissions` that were previously silently ignored.
56+
This change is not versioned, and affects all API versions if the daemon has this patch.
5357

5458
## v1.41 API changes
5559

0 commit comments

Comments
 (0)