mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-02 11:21:12 +00:00
0f01192e7e
For the sake of backwards compat, LXC guests are *not* confined by default. This is because it is not practical to dynamically relabel containers using large filesystem trees. Applications can create confined containers though, by giving suitable XML configs * src/Makefile.am: Link libvirt_lxc to security drivers * src/lxc/libvirtd_lxc.aug, src/lxc/lxc_conf.h, src/lxc/lxc_conf.c, src/lxc/lxc.conf, src/lxc/test_libvirtd_lxc.aug: Config file handling for security driver * src/lxc/lxc_driver.c: Wire up security driver functions * src/lxc/lxc_controller.c: Add a '--security' flag to specify which security driver to activate * src/lxc/lxc_container.c, src/lxc/lxc_container.h: Set the process label just before exec'ing init.
44 lines
1.6 KiB
Plaintext
44 lines
1.6 KiB
Plaintext
(* /etc/libvirt/lxc.conf *)
|
|
|
|
module Libvirtd_lxc =
|
|
autoload xfm
|
|
|
|
let eol = del /[ \t]*\n/ "\n"
|
|
let value_sep = del /[ \t]*=[ \t]*/ " = "
|
|
let indent = del /[ \t]*/ ""
|
|
|
|
let array_sep = del /,[ \t\n]*/ ", "
|
|
let array_start = del /\[[ \t\n]*/ "[ "
|
|
let array_end = del /\]/ "]"
|
|
|
|
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
|
|
let bool_val = store /0|1/
|
|
let int_val = store /[0-9]+/
|
|
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
|
|
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
|
|
|
|
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
|
|
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
|
|
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
|
|
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
|
|
|
|
(* Config entry grouped by function - same order as example config *)
|
|
let log_entry = bool_entry "log_with_libvirtd"
|
|
| str_entry "security_driver"
|
|
| bool_entry "security_default_confined"
|
|
| bool_entry "security_require_confined"
|
|
|
|
(* Each enty in the config is one of the following three ... *)
|
|
let entry = log_entry
|
|
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
|
|
let empty = [ label "#empty" . eol ]
|
|
|
|
let record = indent . entry . eol
|
|
|
|
let lns = ( record | comment | empty ) *
|
|
|
|
let filter = incl "/etc/libvirt/lxc.conf"
|
|
. Util.stdexcl
|
|
|
|
let xfm = transform lns filter
|