External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-08 22:15:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Convert the LXC driver to use the security driver API for mount options

Browse Source 
Instead of hardcoding use of SELinux contexts in the LXC driver,
switch over to using the official security driver API.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel Walsh 2012-05-11 11:02:50 +01:00 committed by Daniel P. Berrange
parent abf2ebbd27
commit 8dd5794f81
2 changed files with 26 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/lxc/lxc_container.c
View File

@ -36,10 +36,6 @@
#include <unistd.h>
#include <mntent.h>
#if HAVE_SELINUX
# include <selinux/selinux.h>
#endif
/* Yes, we want linux private one, for _syscall2() macro */
#include <linux/unistd.h>
@ -426,7 +422,10 @@ err:
}
static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot)
static int lxcContainerMountBasicFS(virDomainDefPtr def,
const char *srcprefix,
bool pivotRoot,
virSecurityManagerPtr securityDriver)
{
const struct {
bool needPrefix;
@ -454,9 +453,6 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot)
};
int i, rc = -1;
char *opts = NULL;
#if HAVE_SELINUX
security_context_t con;
#endif
VIR_DEBUG("Mounting basic filesystems %s pivotRoot=%d", NULLSTR(srcprefix), pivotRoot);
@ -504,28 +500,15 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot)
}
if (pivotRoot) {
#if HAVE_SELINUX
if (getfilecon("/", &con) < 0 &&
errno != ENOTSUP) {
virReportSystemError(errno, "%s",
_("Failed to query file context on /"));
goto cleanup;
}
#endif
/*
* tmpfs is limited to 64kb, since we only have device nodes in there
* and don't want to DOS the entire OS RAM usage
*/
#if HAVE_SELINUX
if (con)
ignore_value(virAsprintf(&opts,
"mode=755,size=65536,context=\"%s\"",
(const char *)con));
else
#endif
opts = strdup("mode=755,size=65536");
char *mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
ignore_value(virAsprintf(&opts,
"mode=755,size=65536%s",(mount_options ? mount_options : "")));
VIR_FREE(mount_options);
if (!opts) {
virReportOOMError();
goto cleanup;
@ -1130,14 +1113,15 @@ cleanup:
static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
size_t nttyPaths)
size_t nttyPaths,
virSecurityManagerPtr securityDriver)
{
/* Gives us a private root, leaving all parent OS mounts on /.oldroot */
if (lxcContainerPivotRoot(root) < 0)
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS("/.oldroot", true) < 0)
if (lxcContainerMountBasicFS(vmDef, "/.oldroot", true, securityDriver) < 0)
return -1;
/* Mounts /dev/pts */
@ -1162,7 +1146,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
/* Nothing mapped to /, we're using the main root,
but with extra stuff mapped in */
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef)
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
virSecurityManagerPtr securityDriver)
{
VIR_DEBUG("def=%p", vmDef);
/*
@ -1181,7 +1166,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef)
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(NULL, false) < 0)
if (lxcContainerMountBasicFS(vmDef, NULL, false, securityDriver) < 0)
return -1;
VIR_DEBUG("Mounting completed");
@ -1211,15 +1196,16 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
size_t nttyPaths)
size_t nttyPaths,
virSecurityManagerPtr securityDriver)
{
if (lxcContainerResolveSymlinks(vmDef) < 0)
return -1;
if (root)
return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths);
return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, securityDriver);
else
return lxcContainerSetupExtraMounts(vmDef);
return lxcContainerSetupExtraMounts(vmDef, securityDriver);
}
@ -1330,7 +1316,9 @@ static int lxcContainerChild( void *data )
goto cleanup;
}
if (lxcContainerSetupMounts(vmDef, root, argv->ttyPaths, argv->nttyPaths) < 0)
if (lxcContainerSetupMounts(vmDef, root,
argv->ttyPaths, argv->nttyPaths,
argv->securityDriver) < 0)
goto cleanup;
if (!virFileExists(vmDef->os.init)) {

26
src/lxc/lxc_controller.c
View File

@ -52,9 +52,6 @@
# define NUMA_VERSION1_COMPATIBILITY 1
# include <numa.h>
#endif
#if HAVE_SELINUX
# include <selinux/selinux.h>
#endif
#include "virterror_internal.h"
#include "logging.h"
@ -1385,6 +1382,7 @@ lxcControllerRun(virDomainDefPtr def,
size_t nloopDevs = 0;
int *loopDevs = NULL;
size_t i;
char *mount_options = NULL;
if (VIR_ALLOC_N(containerTtyFDs, nttyFDs) < 0) {
virReportOOMError();
@ -1436,11 +1434,7 @@ lxcControllerRun(virDomainDefPtr def,
* marked as shared
*/
if (root) {
#if HAVE_SELINUX
security_context_t con;
#else
bool con = false;
#endif
mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
char *opts;
VIR_DEBUG("Setting up private /dev/pts");
@ -1476,21 +1470,10 @@ lxcControllerRun(virDomainDefPtr def,
goto cleanup;
}
#if HAVE_SELINUX
if (getfilecon(root->src, &con) < 0 &&
errno != ENOTSUP) {
virReportSystemError(errno,
_("Failed to query file context on %s"),
root->src);
goto cleanup;
}
#endif
/* XXX should we support gid=X for X!=5 for distros which use
* a different gid for tty? */
if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s%s%s",
con ? ",context=\"" : "",
con ? (const char *)con : "",
con ? "\"" : "") < 0) {
if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
(mount_options ? mount_options : "")) < 0) {
virReportOOMError();
goto cleanup;
}
@ -1607,6 +1590,7 @@ lxcControllerRun(virDomainDefPtr def,
monitor = client = -1;
cleanup:
VIR_FREE(mount_options);
VIR_FREE(devptmx);
VIR_FREE(devpts);
VIR_FORCE_CLOSE(control[0]);