mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 14:45:24 +00:00
Honour filesystem readonly flag & make special FS readonly
A container should not be allowed to modify stuff in /sys or /proc/sys so make them readonly. Make /selinux readonly so that containers think that selinux is disabled. Honour the readonly flag when mounting container filesystems from the guest XML config * src/lxc/lxc_container.c: Support readonly mounts
This commit is contained in:
parent
6d37888e6a
commit
b3ad9b9b80
@ -363,6 +363,15 @@ static int lxcContainerPivotRoot(virDomainFSDefPtr root)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (root->readonly) {
|
||||
if (mount(root->src, newroot, NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
|
||||
virReportSystemError(errno,
|
||||
_("Failed to make new root %s readonly"),
|
||||
root->src);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
/* Now we chroot into the tmpfs, then pivot into the
|
||||
* root->src bind-mounted onto '/new' */
|
||||
if (chdir(newroot) < 0) {
|
||||
@ -403,11 +412,20 @@ static int lxcContainerMountBasicFS(const char *srcprefix)
|
||||
const char *opts;
|
||||
int mflags;
|
||||
} mnts[] = {
|
||||
/* When we want to make a bind mount readonly, for unknown reasons,
|
||||
* it is currently neccessary to bind it once, and then remount the
|
||||
* bind with the readonly flag. If this is not done, then the original
|
||||
* mount point in the main OS becomes readonly too which si not what
|
||||
* we want. Hence some things have two entries here.
|
||||
*/
|
||||
{ false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID },
|
||||
{ false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
||||
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
|
||||
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||
{ true, "/sys", "/sys", NULL, NULL, MS_BIND },
|
||||
{ true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||
{ true, "/selinux", "/selinux", NULL, NULL, MS_BIND },
|
||||
{ true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||
};
|
||||
int i, rc = -1;
|
||||
|
||||
@ -573,6 +591,17 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (fs->readonly) {
|
||||
VIR_DEBUG("Binding %s readonly", fs->dst);
|
||||
if (mount(fs->dst, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
|
||||
virReportSystemError(errno,
|
||||
_("Failed to make directory %s readonly"),
|
||||
fs->dst);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
|
||||
VIR_DEBUG("Done mounting filesystem ret=%d", ret);
|
||||
|
Loading…
Reference in New Issue
Block a user