Re: [PATCH 6/6] Skip any files which are not mounted on the host

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Wed, 16 Oct 2013 12:14:25 +0100

On Tue, Oct 08, 2013 at 09:24:50PM -0600, Eric Blake wrote:
> On 10/07/2013 07:06 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> > 
> > Currently the LXC container tries to skip selinux/securityfs
> > mounts if the directory does not exist in the filesystem,
> > or if SELinux is disabled.
> > 
> > The former check is flawed because the /sys/fs/selinux
> > or /sys/kernel/securityfs directories may exist in sysfs
> > even if the mount type is disabled. Instead of just doing
> > an access() check, use an virFileIsMounted() to see if
> > the FS is actually present in the host OS. This also
> > avoids the need to check is_selinux_enabled().
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> > ---
> >  src/lxc/lxc_container.c | 37 +++++++++++++++++++++++--------------
> >  1 file changed, 23 insertions(+), 14 deletions(-)
> > 
> >  static const virLXCBasicMountInfo lxcBasicMounts[] = {
> > -    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
> > -    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false },
> > -    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false },
> > -    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
> > +    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
> > +    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
> > +    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
> > +    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
> >  #if WITH_SELINUX
> > -    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
> > +    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
> 
> All your bools are either both false or both true; does it make sense to
> consolidate them into one, or will a future patch expose a need for a
> different combo?

I don't have a pending use for it, but logically I just prefer to keep
it separate.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list