Don't bind mount onto a char device for /dev/ptmx in LXC

The current setup code for LXC is bind mounting /dev/pts/ptmx on top of a character device /dev/ptmx. This is denied by SELinux policy and is just wrong. The target of a bind mount should just be a plain file * src/lxc/lxc_container.c: Don't bind /dev/pts/ptmx onto a char device
2025-01-11 15:27:47 +00:00 · 2012-01-11 09:59:37 +00:00 · 2012-01-11 09:59:37 +00:00 · c30a78c398
commit c30a78c398
parent ef7efbc6ef
1 changed files with 14 additions and 9 deletions
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@ -555,18 +555,23 @@ static int lxcContainerPopulateDevices(char **ttyPaths, size_t nttyPaths)
        }
    }

-    dev_t dev = makedev(LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX);
-    if (mknod("/dev/ptmx", S_IFCHR, dev) < 0 ||
-        chmod("/dev/ptmx", 0666)) {
-        virReportSystemError(errno, "%s",
-                             _("Failed to make device /dev/ptmx"));
-        return -1;
-    }
-
    if (access("/dev/pts/ptmx", W_OK) == 0) {
+        /* We have private devpts capability, so bind that */
+        if (virFileTouch("/dev/ptmx", 0666) < 0)
+            return -1;
+
        if (mount("/dev/pts/ptmx", "/dev/ptmx", "ptmx", MS_BIND, NULL) < 0) {
            virReportSystemError(errno, "%s",
-                                 _("Failed to bind-mount /dev/ptmx to /dev/pts/ptmx"));
+                                 _("Failed to bind /dev/pts/ptmx on to /dev/ptmx"));
+            return -1;
+        }
+    } else {
+        /* Legacy devpts, so we need to just use shared one */
+        dev_t dev = makedev(LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX);
+        if (mknod("/dev/ptmx", S_IFCHR, dev) < 0 ||
+            chmod("/dev/ptmx", 0666)) {
+            virReportSystemError(errno, "%s",
+                                 _("Failed to make device /dev/ptmx"));
            return -1;
        }
    }