From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> A container should not be allowed to modify stuff in /sys or /proc/sys so make them readonly. Make /selinux readonly so that containers think that selinux is disabled. Honour the readonly flag when mounting container filesystems from the guest XML config * src/lxc/lxc_container.c: Support readonly mounts --- src/lxc/lxc_container.c | 29 +++++++++++++++++++++++++++++ 1 files changed, 29 insertions(+), 0 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 10ebca3..5cb090e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -363,6 +363,15 @@ static int lxcContainerPivotRoot(virDomainFSDefPtr root) goto err; } + if (root->readonly) { + if (mount(root->src, newroot, NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) { + virReportSystemError(errno, + _("Failed to make new root %s readonly"), + root->src); + goto err; + } + } + /* Now we chroot into the tmpfs, then pivot into the * root->src bind-mounted onto '/new' */ if (chdir(newroot) < 0) { @@ -403,11 +412,20 @@ static int lxcContainerMountBasicFS(const char *srcprefix) const char *opts; int flags; } mnts[] = { + /* When we want to make a bind mount readonly, for unknown reasons, + * it is currently neccessary to bind it once, and then remount the + * bind with the readonly flag. If this is not done, then the original + * mount point in the main OS becomes readonly too which si not what + * we want. Hence some things have two entries here. + */ { false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID }, { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, + { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { true, "/sys", "/sys", NULL, NULL, MS_BIND }, + { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { true, "/selinux", "/selinux", NULL, NULL, MS_BIND }, + { true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, }; int i, rc = -1; @@ -573,6 +591,17 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs, goto cleanup; } + if (fs->readonly) { + VIR_DEBUG("Binding %s readonly", fs->dst); + if (mount(fs->dst, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { + virReportSystemError(errno, + _("Failed to make directory %s readonly"), + fs->dst); + goto cleanup; + } + + } + ret = 0; VIR_DEBUG("Done mounting filesystem ret=%d tryProc=%d", ret, tryProc); -- 1.7.6 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list