Change label of fusefs mounted at /proc/meminfo in lxc containers

We do not want to allow contained applications to be able to read fusefs_t. So we want /proc/meminfo label to match the system default proc_t. Fix checking of error codes
2025-01-21 20:15:17 +00:00 · 2013-05-15 10:35:48 -04:00 · 2013-05-15 10:35:48 -04:00 · 940c6f1085
commit 940c6f1085
parent 7bb7510de7
1 changed files with 24 additions and 0 deletions
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@ -52,6 +52,10 @@
 # include <blkid/blkid.h>
 #endif

+#if WITH_SELINUX
+# include <selinux/selinux.h>
+#endif
+
 #include "virerror.h"
 #include "virlog.h"
 #include "lxc_container.h"
@ -756,6 +760,26 @@ static int lxcContainerMountProcFuse(virDomainDefPtr def)
                           def->name)) < 0)
        return ret;

+# if WITH_SELINUX
+    if (is_selinux_enabled() > 0) {
+        security_context_t scon;
+        ret = getfilecon("/proc/meminfo", &scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to get security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+        ret = setfilecon(meminfo_path, scon);
+        freecon(scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to set security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+    }
+# endif
    if ((ret = mount(meminfo_path, "/proc/meminfo",
                     NULL, MS_BIND, NULL)) < 0) {
        virReportSystemError(errno,