Re: These patches needed to mount the securityfs in containers.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 01, 2013 at 11:19:49AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Simple patch to make sure /sys/kernel/security is mounted inside the
> container.  Systemd attempts to use/mount this file system if it is not present.
> 
> 
> One of these days I will figure out how to merge patches.

First off all, you should do all your work on a branch
and not on 'master'.

eg, lets assume you did some work on a branch 'some-fix'
which has 2 patches

   git checkout -b some-fix
   ...do work..
   git add -u
   git commit
   ...do more work..
   git add -u
   git commit


Now you want to turn this into one single patch for submission.

   git rebase -i master
   ....it now displays a list of patches in 'vi'...

To merge two patches into one, just change the 'pick' word
against the 2nd patch into 'squash'. This causes it to merge
the 2nd patch into the first patch and lets you update the
commit message.

> >From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh@xxxxxxxxxx>
> Date: Tue, 6 Nov 2012 13:26:50 -0500
> Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for
>  containers
> 
> ---
>  src/lxc/lxc_container.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 8faa664..e06313e 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
>          { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
>          { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
>          { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> +        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
>          { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
>          { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
>  #if HAVE_SELINUX
> -- 
> 1.8.0
> 
> 

> >From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh@xxxxxxxxxx>
> Date: Tue, 6 Nov 2012 15:07:21 -0500
> Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the
>  container
> 
> ---
>  src/lxc/lxc_container.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 17f685d..9030c27 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
>          { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
>          { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
>          { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> -        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
>          { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
>          { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> +        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> +        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
>  #if HAVE_SELINUX
>          { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
>          { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },

If they were combined, these patches would be good.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]