https://github.com/golang/go/issues/20126

    代码实现 �https://github.com/cyphar/filepath-securejoin

    1. // SecureJoinVFS joins the two given path components (similar to Join) except
    2. // that the returned path is guaranteed to be scoped inside the provided root
    3. // path (when evaluated). Any symbolic links in the path are evaluated with the
    4. // given root treated as the root of the filesystem, similar to a chroot. The
    5. // filesystem state is evaluated through the given VFS interface (if nil, the
    6. // standard os.* family of functions are used).
    7. //
    8. // Note that the guarantees provided by this function only apply if the path
    9. // components in the returned string are not modified (in other words are not
    10. // replaced with symlinks on the filesystem) after this function has returned.
    11. // Such a symlink race is necessarily out-of-scope of SecureJoin.
    12. func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
    13.     // Use the os.* VFS implementation if none was specified.
    14.     if vfs == nil {
    15.         vfs = osVFS{}
    16.     }
    18.     var path bytes.Buffer
    19.     n := 0
    20.     for unsafePath != "" {
    21.         if n > 255 {
    22.             return "", &os.PathError{Op: "SecureJoin", Path: root + "/" + unsafePath, Err: syscall.ELOOP}
    23.         }
    25.         // Next path component, p.
    26.         i := strings.IndexRune(unsafePath, filepath.Separator)
    27.         var p string
    28.         if i == -1 {
    29.             p, unsafePath = unsafePath, ""
    30.         } else {
    31.             p, unsafePath = unsafePath[:i], unsafePath[i+1:]
    32.         }
    34.         // Create a cleaned path, using the lexical semantics of /../a, to
    35.         // create a "scoped" path component which can safely be joined to fullP
    36.         // for evaluation. At this point, path.String() doesn't contain any
    37.         // symlink components.
    38.         cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)
    39.         if cleanP == string(filepath.Separator) {
    40.             path.Reset()
    41.             continue
    42.         }
    43.         fullP := filepath.Clean(root + cleanP)
    45.         // Figure out whether the path is a symlink.
    46.         fi, err := vfs.Lstat(fullP)
    47.         if err != nil && !IsNotExist(err) {
    48.             return "", err
    49.         }
    50.         // Treat non-existent path components the same as non-symlinks (we
    51.         // can't do any better here).
    52.         // 不存在的路径和 非软链接一样处理
    53.         if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
    54.             path.WriteString(p)
    55.             path.WriteRune(filepath.Separator)
    56.             continue
    57.         }
    59.         // Only increment when we actually dereference a link.
    60.         n++
    62.         // It's a symlink, expand it by prepending it to the yet-unparsed path.
    63.         dest, err := vfs.Readlink(fullP)
    64.         if err != nil {
    65.             return "", err
    66.         }
    67.         // Absolute symlinks reset any work we've already done.
    68.         if filepath.IsAbs(dest) {
    69.             path.Reset()
    70.         }
    71.         // 因为软链接解析过,需要重新解析完整的路径
    72.         unsafePath = dest + string(filepath.Separator) + unsafePath
    73.     }
    75.     // We have to clean path.String() here because it may contain '..'
    76.     // components that are entirely lexical, but would be misleading otherwise.
    77.     // And finally do a final clean to ensure that root is also lexically
    78.     // clean.
    79.     fullP := filepath.Clean(string(filepath.Separator) + path.String())
    80.     return filepath.Clean(root + fullP), nil
    81. }

    runc在挂载 volumes 时是不允许将软链接挂载至容器中的,因为runc会跟随软链接指向的地址,将宿主机上的目录挂载至容器中。

    因此runc会经过一个 securejoin.SecureJoinVFS() 的函数,先对要挂载的目录进行check,然后再进行mount操作。