Securityfs is not enabled on all kernels running libvirt containers. This patch introduces a configure option that can specify whether containers should mount securityfs in their rootfs. Signed-off-by: Bogdan Purcareata <bogdan.purcareata(a)freescale.com&gt; --- configure.ac | 8 ++++++++ src/lxc/lxc_container.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/configure.ac b/configure.ac index 553015a..b4351dd 100644 --- a/configure.ac +++ b/configure.ac @@ -111,6 +111,14 @@ then [Extra package version]) fi +dnl Enable securityfs mounts if necessary +AC_ARG_ENABLE([securityfs], + AS_HELP_STRING([--disable-securityfs], [Disable mounting securityfs from container domains])) + +AS_IF([test "x$enable_securityfs" != "xno"],[ + AC_DEFINE_UNQUOTED([WITH_SECURITYFS],[],[Securityfs present]) + ]) + dnl Required minimum versions of all libs we depend on LIBXML_REQUIRED="2.6.0" GNUTLS_REQUIRED="1.0.25" diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index c60f5d8..72f1e81 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -768,8 +768,10 @@ static const virLXCBasicMountInfo lxcBasicMounts[] = { { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, +#if WITH_SECURITYFS { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, +#endif #if WITH_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, @@ -872,8 +874,10 @@ static int lxcContainerMountBasicFS(bool userns_enabled) continue; #endif +#if WITH_SECURITYFS if (STREQ(mnt->src, "securityfs") && userns_enabled) continue; +#endif if (virFileMakePath(mnt->dst) < 0) { virReportSystemError(errno, -- 1.7.11.7