[PATCH 3/3] Honour filesystem readonly flag & make special FS readonly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

A container should not be allowed to modify stuff in /sys
or /proc/sys so make them readonly. Make /selinux readonly
so that containers think that selinux is disabled.

Honour the readonly flag when mounting container filesystems
from the guest XML config

* src/lxc/lxc_container.c: Support readonly mounts
---
 src/lxc/lxc_container.c |   29 +++++++++++++++++++++++++++++
 1 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 10ebca3..5cb090e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -363,6 +363,15 @@ static int lxcContainerPivotRoot(virDomainFSDefPtr root)
         goto err;
     }
 
+    if (root->readonly) {
+        if (mount(root->src, newroot, NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to make new root %s readonly"),
+                                 root->src);
+            goto err;
+        }
+    }
+
     /* Now we chroot into the tmpfs, then pivot into the
      * root->src bind-mounted onto '/new' */
     if (chdir(newroot) < 0) {
@@ -403,11 +412,20 @@ static int lxcContainerMountBasicFS(const char *srcprefix)
         const char *opts;
         int flags;
     } mnts[] = {
+        /* When we want to make a bind mount readonly, for unknown reasons,
+         * it is currently neccessary to bind it once, and then remount the
+         * bind with the readonly flag. If this is not done, then the original
+         * mount point in the main OS becomes readonly too which si not what
+         * we want. Hence some things have two entries here.
+         */
         { false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID },
         { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
+        { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
         { true, "/sys", "/sys", NULL, NULL, MS_BIND },
+        { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
         { true, "/selinux", "/selinux", NULL, NULL, MS_BIND },
+        { true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
     };
     int i, rc = -1;
 
@@ -573,6 +591,17 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
         goto cleanup;
     }
 
+    if (fs->readonly) {
+        VIR_DEBUG("Binding %s readonly", fs->dst);
+        if (mount(fs->dst, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to make directory %s readonly"),
+                                 fs->dst);
+            goto cleanup;
+        }
+
+    }
+
     ret = 0;
 
     VIR_DEBUG("Done mounting filesystem ret=%d tryProc=%d", ret, tryProc);
-- 
1.7.6

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]