mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-11 04:15:49 +00:00
Honour filesystem readonly flag & make special FS readonly
A container should not be allowed to modify stuff in /sys or /proc/sys so make them readonly. Make /selinux readonly so that containers think that selinux is disabled. Honour the readonly flag when mounting container filesystems from the guest XML config * src/lxc/lxc_container.c: Support readonly mounts
This commit is contained in:
parent
6d37888e6a
commit
b3ad9b9b80
@ -363,6 +363,15 @@ static int lxcContainerPivotRoot(virDomainFSDefPtr root)
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (root->readonly) {
|
||||||
|
if (mount(root->src, newroot, NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("Failed to make new root %s readonly"),
|
||||||
|
root->src);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Now we chroot into the tmpfs, then pivot into the
|
/* Now we chroot into the tmpfs, then pivot into the
|
||||||
* root->src bind-mounted onto '/new' */
|
* root->src bind-mounted onto '/new' */
|
||||||
if (chdir(newroot) < 0) {
|
if (chdir(newroot) < 0) {
|
||||||
@ -403,11 +412,20 @@ static int lxcContainerMountBasicFS(const char *srcprefix)
|
|||||||
const char *opts;
|
const char *opts;
|
||||||
int mflags;
|
int mflags;
|
||||||
} mnts[] = {
|
} mnts[] = {
|
||||||
|
/* When we want to make a bind mount readonly, for unknown reasons,
|
||||||
|
* it is currently neccessary to bind it once, and then remount the
|
||||||
|
* bind with the readonly flag. If this is not done, then the original
|
||||||
|
* mount point in the main OS becomes readonly too which si not what
|
||||||
|
* we want. Hence some things have two entries here.
|
||||||
|
*/
|
||||||
{ false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID },
|
{ false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID },
|
||||||
{ false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
{ false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
||||||
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
|
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
|
||||||
|
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||||
{ true, "/sys", "/sys", NULL, NULL, MS_BIND },
|
{ true, "/sys", "/sys", NULL, NULL, MS_BIND },
|
||||||
|
{ true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||||
{ true, "/selinux", "/selinux", NULL, NULL, MS_BIND },
|
{ true, "/selinux", "/selinux", NULL, NULL, MS_BIND },
|
||||||
|
{ true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
||||||
};
|
};
|
||||||
int i, rc = -1;
|
int i, rc = -1;
|
||||||
|
|
||||||
@ -573,6 +591,17 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (fs->readonly) {
|
||||||
|
VIR_DEBUG("Binding %s readonly", fs->dst);
|
||||||
|
if (mount(fs->dst, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("Failed to make directory %s readonly"),
|
||||||
|
fs->dst);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
VIR_DEBUG("Done mounting filesystem ret=%d", ret);
|
VIR_DEBUG("Done mounting filesystem ret=%d", ret);
|
||||||
|
Loading…
Reference in New Issue
Block a user