External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-02 01:45:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change label of fusefs mounted at /proc/meminfo in lxc containers

Browse Source 
We do not want to allow contained applications to be able to read fusefs_t.
So we want /proc/meminfo label to match the system default proc_t.

Fix checking of error codes
This commit is contained in:
Dan Walsh 2013-05-15 10:35:48 -04:00 committed by Michal Privoznik
parent 7bb7510de7
commit 940c6f1085
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/lxc/lxc_container.c
View File

@ -52,6 +52,10 @@
# include <blkid/blkid.h> # include <blkid/blkid.h>
#endif #endif
#if WITH_SELINUX
# include <selinux/selinux.h>
#endif
#include "virerror.h" #include "virerror.h"
#include "virlog.h" #include "virlog.h"
#include "lxc_container.h" #include "lxc_container.h"
@ -756,6 +760,26 @@ static int lxcContainerMountProcFuse(virDomainDefPtr def)
def->name)) < 0) def->name)) < 0)
return ret; return ret;
# if WITH_SELINUX
if (is_selinux_enabled() > 0) {
security_context_t scon;
ret = getfilecon("/proc/meminfo", &scon);
if (ret < 0) {
virReportSystemError(errno,
_("Failed to get security context of %s for /proc/meminfo mount point"),
meminfo_path);
return ret;
}
ret = setfilecon(meminfo_path, scon);
freecon(scon);
if (ret < 0) {
virReportSystemError(errno,
_("Failed to set security context of %s for /proc/meminfo mount point"),
meminfo_path);
return ret;
}
}
# endif
if ((ret = mount(meminfo_path, "/proc/meminfo", if ((ret = mount(meminfo_path, "/proc/meminfo",
NULL, MS_BIND, NULL)) < 0) { NULL, MS_BIND, NULL)) < 0) {
virReportSystemError(errno, virReportSystemError(errno,