diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 0636eabce4..ca5696dad3 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -36,10 +36,6 @@ #include #include -#if HAVE_SELINUX -# include -#endif - /* Yes, we want linux private one, for _syscall2() macro */ #include @@ -426,7 +422,10 @@ err: } -static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot) +static int lxcContainerMountBasicFS(virDomainDefPtr def, + const char *srcprefix, + bool pivotRoot, + virSecurityManagerPtr securityDriver) { const struct { bool needPrefix; @@ -454,9 +453,6 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot) }; int i, rc = -1; char *opts = NULL; -#if HAVE_SELINUX - security_context_t con; -#endif VIR_DEBUG("Mounting basic filesystems %s pivotRoot=%d", NULLSTR(srcprefix), pivotRoot); @@ -504,28 +500,15 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot) } if (pivotRoot) { -#if HAVE_SELINUX - if (getfilecon("/", &con) < 0 && - errno != ENOTSUP) { - virReportSystemError(errno, "%s", - _("Failed to query file context on /")); - goto cleanup; - } -#endif /* * tmpfs is limited to 64kb, since we only have device nodes in there * and don't want to DOS the entire OS RAM usage */ -#if HAVE_SELINUX - if (con) - ignore_value(virAsprintf(&opts, - "mode=755,size=65536,context=\"%s\"", - (const char *)con)); - else -#endif - opts = strdup("mode=755,size=65536"); - + char *mount_options = virSecurityManagerGetMountOptions(securityDriver, def); + ignore_value(virAsprintf(&opts, + "mode=755,size=65536%s",(mount_options ? mount_options : ""))); + VIR_FREE(mount_options); if (!opts) { virReportOOMError(); goto cleanup; @@ -1130,14 +1113,15 @@ cleanup: static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, virDomainFSDefPtr root, char **ttyPaths, - size_t nttyPaths) + size_t nttyPaths, + virSecurityManagerPtr securityDriver) { /* Gives us a private root, leaving all parent OS mounts on /.oldroot */ if (lxcContainerPivotRoot(root) < 0) return -1; /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS("/.oldroot", true) < 0) + if (lxcContainerMountBasicFS(vmDef, "/.oldroot", true, securityDriver) < 0) return -1; /* Mounts /dev/pts */ @@ -1162,7 +1146,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, /* Nothing mapped to /, we're using the main root, but with extra stuff mapped in */ -static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef) +static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef, + virSecurityManagerPtr securityDriver) { VIR_DEBUG("def=%p", vmDef); /* @@ -1181,7 +1166,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef) return -1; /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS(NULL, false) < 0) + if (lxcContainerMountBasicFS(vmDef, NULL, false, securityDriver) < 0) return -1; VIR_DEBUG("Mounting completed"); @@ -1211,15 +1196,16 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) static int lxcContainerSetupMounts(virDomainDefPtr vmDef, virDomainFSDefPtr root, char **ttyPaths, - size_t nttyPaths) + size_t nttyPaths, + virSecurityManagerPtr securityDriver) { if (lxcContainerResolveSymlinks(vmDef) < 0) return -1; if (root) - return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths); + return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, securityDriver); else - return lxcContainerSetupExtraMounts(vmDef); + return lxcContainerSetupExtraMounts(vmDef, securityDriver); } @@ -1330,7 +1316,9 @@ static int lxcContainerChild( void *data ) goto cleanup; } - if (lxcContainerSetupMounts(vmDef, root, argv->ttyPaths, argv->nttyPaths) < 0) + if (lxcContainerSetupMounts(vmDef, root, + argv->ttyPaths, argv->nttyPaths, + argv->securityDriver) < 0) goto cleanup; if (!virFileExists(vmDef->os.init)) { diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 1292751bf6..b26225924a 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -52,9 +52,6 @@ # define NUMA_VERSION1_COMPATIBILITY 1 # include #endif -#if HAVE_SELINUX -# include -#endif #include "virterror_internal.h" #include "logging.h" @@ -1385,6 +1382,7 @@ lxcControllerRun(virDomainDefPtr def, size_t nloopDevs = 0; int *loopDevs = NULL; size_t i; + char *mount_options = NULL; if (VIR_ALLOC_N(containerTtyFDs, nttyFDs) < 0) { virReportOOMError(); @@ -1436,11 +1434,7 @@ lxcControllerRun(virDomainDefPtr def, * marked as shared */ if (root) { -#if HAVE_SELINUX - security_context_t con; -#else - bool con = false; -#endif + mount_options = virSecurityManagerGetMountOptions(securityDriver, def); char *opts; VIR_DEBUG("Setting up private /dev/pts"); @@ -1476,21 +1470,10 @@ lxcControllerRun(virDomainDefPtr def, goto cleanup; } -#if HAVE_SELINUX - if (getfilecon(root->src, &con) < 0 && - errno != ENOTSUP) { - virReportSystemError(errno, - _("Failed to query file context on %s"), - root->src); - goto cleanup; - } -#endif /* XXX should we support gid=X for X!=5 for distros which use * a different gid for tty? */ - if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s%s%s", - con ? ",context=\"" : "", - con ? (const char *)con : "", - con ? "\"" : "") < 0) { + if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s", + (mount_options ? mount_options : "")) < 0) { virReportOOMError(); goto cleanup; } @@ -1607,6 +1590,7 @@ lxcControllerRun(virDomainDefPtr def, monitor = client = -1; cleanup: + VIR_FREE(mount_options); VIR_FREE(devptmx); VIR_FREE(devpts); VIR_FORCE_CLOSE(control[0]);