On 07/22/2011 07:42 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@xxxxxxxxxx>
A container should not be allowed to modify stuff in /sys
or /proc/sys so make them readonly. Make /selinux readonly
so that containers think that selinux is disabled.
Are we ever going to want to mix selinux and containers? But for now, I
guess this makes sense.
Honour the readonly flag when mounting container filesystems
from the guest XML config
* src/lxc/lxc_container.c: Support readonly mounts
---
src/lxc/lxc_container.c | 29 +++++++++++++++++++++++++++++
1 files changed, 29 insertions(+), 0 deletions(-)
} mnts[] = {
+ /* When we want to make a bind mount readonly, for unknown reasons,
+ * it is currently neccessary to bind it once, and then remount the
s/neccessary/necessary/
+ * bind with the readonly flag. If this is not done, then the original
+ * mount point in the main OS becomes readonly too which si not what
s/si/is/
ACK with spelling nits fixed.
--
Eric Blake eblake@xxxxxxxxxx +1-801-349-2682
Libvirt virtualization library http://libvirt.org
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list