Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/src/lxc
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2012-07-18 19:44:47 +0100
committerDaniel P. Berrange <berrange@redhat.com>2012-07-18 19:49:22 +0100
commite00184291eb7d35ad3f3ef882a2c6c738a20c796 (patch)
tree581f42f15e790f709edb480ff1cab7a7195f1029 /src/lxc
parentReplace use of virNodeDeviceReportError with virReportError (diff)
downloadlibvirt-e00184291eb7d35ad3f3ef882a2c6c738a20c796.tar.gz
libvirt-e00184291eb7d35ad3f3ef882a2c6c738a20c796.tar.bz2
libvirt-e00184291eb7d35ad3f3ef882a2c6c738a20c796.zip
Mount all tmpfs filesystems with correct SELinux label
Basically within a Secure Linux Container (virt-sandbox) we want all content that the process within the container can write to be labeled the same. We are labeling the physical disk correctly but when we create "RAM" based file systems libvirt is not labeling them, and they are defaulting to tmpfs_t, which will will not allow the processes to write. This patch labels the RAM based file systems correctly.
Diffstat (limited to 'src/lxc')
-rw-r--r--src/lxc/lxc_container.c47
1 files changed, 27 insertions, 20 deletions
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 145accb95..92a3bf9ed 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -425,9 +425,8 @@ err:
}
-static int lxcContainerMountBasicFS(virDomainDefPtr def,
- bool pivotRoot,
- virSecurityManagerPtr securityDriver)
+static int lxcContainerMountBasicFS(bool pivotRoot,
+ char *sec_mount_options)
{
const struct {
const char *src;
@@ -493,10 +492,8 @@ static int lxcContainerMountBasicFS(virDomainDefPtr def,
* and don't want to DOS the entire OS RAM usage
*/
- char *mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
ignore_value(virAsprintf(&opts,
- "mode=755,size=65536%s",(mount_options ? mount_options : "")));
- VIR_FREE(mount_options);
+ "mode=755,size=65536%s",(sec_mount_options ? sec_mount_options : "")));
if (!opts) {
virReportOOMError();
goto cleanup;
@@ -1001,12 +998,14 @@ cleanup:
}
-static int lxcContainerMountFSTmpfs(virDomainFSDefPtr fs)
+static int lxcContainerMountFSTmpfs(virDomainFSDefPtr fs,
+ char *sec_mount_options)
{
int ret = -1;
char *data = NULL;
- if (virAsprintf(&data, "size=%lldk", fs->usage) < 0) {
+ if (virAsprintf(&data,
+ "size=%lldk%s", fs->usage, (sec_mount_options ? sec_mount_options : "")) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1043,7 +1042,8 @@ cleanup:
static int lxcContainerMountFS(virDomainFSDefPtr fs,
- const char *srcprefix)
+ const char *srcprefix,
+ char *sec_mount_options)
{
switch (fs->type) {
case VIR_DOMAIN_FS_TYPE_MOUNT:
@@ -1055,7 +1055,7 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs,
return -1;
break;
case VIR_DOMAIN_FS_TYPE_RAM:
- if (lxcContainerMountFSTmpfs(fs) < 0)
+ if (lxcContainerMountFSTmpfs(fs, sec_mount_options) < 0)
return -1;
break;
case VIR_DOMAIN_FS_TYPE_BIND:
@@ -1082,7 +1082,8 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs,
static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
const char *dstprefix,
- bool skipRoot)
+ bool skipRoot,
+ char *sec_mount_options)
{
size_t i;
VIR_DEBUG("Mounting %s %d", dstprefix, skipRoot);
@@ -1093,7 +1094,7 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
STREQ(vmDef->fss[i]->dst, "/"))
continue;
- if (lxcContainerMountFS(vmDef->fss[i], dstprefix) < 0)
+ if (lxcContainerMountFS(vmDef->fss[i], dstprefix, sec_mount_options) < 0)
return -1;
}
@@ -1401,7 +1402,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
size_t nttyPaths,
- virSecurityManagerPtr securityDriver)
+ char *sec_mount_options)
{
struct lxcContainerCGroup *mounts = NULL;
size_t nmounts = 0;
@@ -1427,7 +1428,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
goto cleanup;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(vmDef, true, securityDriver) < 0)
+ if (lxcContainerMountBasicFS(true, sec_mount_options) < 0)
goto cleanup;
/* Now we can re-mount the cgroups controllers in the
@@ -1444,7 +1445,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
goto cleanup;
/* Sets up any non-root mounts from guest config */
- if (lxcContainerMountAllFS(vmDef, "/.oldroot", true) < 0)
+ if (lxcContainerMountAllFS(vmDef, "/.oldroot", true, sec_mount_options) < 0)
goto cleanup;
/* Gets rid of all remaining mounts from host OS, including /.oldroot itself */
@@ -1463,7 +1464,7 @@ cleanup:
but with extra stuff mapped in */
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
- virSecurityManagerPtr securityDriver)
+ char *sec_mount_options)
{
int ret = -1;
struct lxcContainerCGroup *mounts = NULL;
@@ -1490,7 +1491,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
}
VIR_DEBUG("Mounting config FS");
- if (lxcContainerMountAllFS(vmDef, "", false) < 0)
+ if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0)
return -1;
/* Before replacing /sys we need to identify any
@@ -1506,7 +1507,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
goto cleanup;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(vmDef, false, securityDriver) < 0)
+ if (lxcContainerMountBasicFS(false, sec_mount_options) < 0)
goto cleanup;
/* Now we can re-mount the cgroups controllers in the
@@ -1551,13 +1552,19 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
size_t nttyPaths,
virSecurityManagerPtr securityDriver)
{
+ int rc = -1;
+ char *sec_mount_options = NULL;
if (lxcContainerResolveSymlinks(vmDef) < 0)
return -1;
+ sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef);
if (root && root->src)
- return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, securityDriver);
+ rc = lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, sec_mount_options);
else
- return lxcContainerSetupExtraMounts(vmDef, root, securityDriver);
+ rc = lxcContainerSetupExtraMounts(vmDef, root, sec_mount_options);
+
+ VIR_FREE(sec_mount_options);
+ return rc;
}