5:10 a.m.
From: Daniel Walsh <dwalsh(a)redhat.com>
Instead of hardcoding use of SELinux contexts in the LXC driver,
switch over to using the official security driver API.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 54 ++++++++++++++++++----------------------------
src/lxc/lxc_controller.c | 26 +++++-----------------
src/lxc/lxc_driver.c | 1 +
3 files changed, 27 insertions(+), 54 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 0636eab..ca5696d 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -36,10 +36,6 @@
#include <unistd.h>
#include <mntent.h>
-#if HAVE_SELINUX
-# include <selinux/selinux.h>
-#endif
-
/* Yes, we want linux private one, for _syscall2() macro */
#include <linux/unistd.h>
@@ -426,7 +422,10 @@ err:
}
-static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot)
+static int lxcContainerMountBasicFS(virDomainDefPtr def,
+ const char *srcprefix,
+ bool pivotRoot,
+ virSecurityManagerPtr securityDriver)
{
const struct {
bool needPrefix;
@@ -454,9 +453,6 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool
pivotRoot)
};
int i, rc = -1;
char *opts = NULL;
-#if HAVE_SELINUX
- security_context_t con;
-#endif
VIR_DEBUG("Mounting basic filesystems %s pivotRoot=%d", NULLSTR(srcprefix),
pivotRoot);
@@ -504,28 +500,15 @@ static int lxcContainerMountBasicFS(const char *srcprefix, bool
pivotRoot)
}
if (pivotRoot) {
-#if HAVE_SELINUX
- if (getfilecon("/", &con) < 0 &&
- errno != ENOTSUP) {
- virReportSystemError(errno, "%s",
- _("Failed to query file context on /"));
- goto cleanup;
- }
-#endif
/*
* tmpfs is limited to 64kb, since we only have device nodes in there
* and don't want to DOS the entire OS RAM usage
*/
-#if HAVE_SELINUX
- if (con)
- ignore_value(virAsprintf(&opts,
-
"mode=755,size=65536,context=\"%s\"",
- (const char *)con));
- else
-#endif
- opts = strdup("mode=755,size=65536");
-
+ char *mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
+ ignore_value(virAsprintf(&opts,
+ "mode=755,size=65536%s",(mount_options ?
mount_options : "")));
+ VIR_FREE(mount_options);
if (!opts) {
virReportOOMError();
goto cleanup;
@@ -1130,14 +1113,15 @@ cleanup:
static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
- size_t nttyPaths)
+ size_t nttyPaths,
+ virSecurityManagerPtr securityDriver)
{
/* Gives us a private root, leaving all parent OS mounts on /.oldroot */
if (lxcContainerPivotRoot(root) < 0)
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS("/.oldroot", true) < 0)
+ if (lxcContainerMountBasicFS(vmDef, "/.oldroot", true, securityDriver) <
0)
return -1;
/* Mounts /dev/pts */
@@ -1162,7 +1146,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
/* Nothing mapped to /, we're using the main root,
but with extra stuff mapped in */
-static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef)
+static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
+ virSecurityManagerPtr securityDriver)
{
VIR_DEBUG("def=%p", vmDef);
/*
@@ -1181,7 +1166,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef)
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(NULL, false) < 0)
+ if (lxcContainerMountBasicFS(vmDef, NULL, false, securityDriver) < 0)
return -1;
VIR_DEBUG("Mounting completed");
@@ -1211,15 +1196,16 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
- size_t nttyPaths)
+ size_t nttyPaths,
+ virSecurityManagerPtr securityDriver)
{
if (lxcContainerResolveSymlinks(vmDef) < 0)
return -1;
if (root)
- return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths);
+ return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths,
securityDriver);
else
- return lxcContainerSetupExtraMounts(vmDef);
+ return lxcContainerSetupExtraMounts(vmDef, securityDriver);
}
@@ -1330,7 +1316,9 @@ static int lxcContainerChild( void *data )
goto cleanup;
}
- if (lxcContainerSetupMounts(vmDef, root, argv->ttyPaths, argv->nttyPaths) <
0)
+ if (lxcContainerSetupMounts(vmDef, root,
+ argv->ttyPaths, argv->nttyPaths,
+ argv->securityDriver) < 0)
goto cleanup;
if (!virFileExists(vmDef->os.init)) {
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 1292751..b262259 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -52,9 +52,6 @@
# define NUMA_VERSION1_COMPATIBILITY 1
# include <numa.h>
#endif
-#if HAVE_SELINUX
-# include <selinux/selinux.h>
-#endif
#include "virterror_internal.h"
#include "logging.h"
@@ -1385,6 +1382,7 @@ lxcControllerRun(virDomainDefPtr def,
size_t nloopDevs = 0;
int *loopDevs = NULL;
size_t i;
+ char *mount_options = NULL;
if (VIR_ALLOC_N(containerTtyFDs, nttyFDs) < 0) {
virReportOOMError();
@@ -1436,11 +1434,7 @@ lxcControllerRun(virDomainDefPtr def,
* marked as shared
*/
if (root) {
-#if HAVE_SELINUX
- security_context_t con;
-#else
- bool con = false;
-#endif
+ mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
char *opts;
VIR_DEBUG("Setting up private /dev/pts");
@@ -1476,21 +1470,10 @@ lxcControllerRun(virDomainDefPtr def,
goto cleanup;
}
-#if HAVE_SELINUX
- if (getfilecon(root->src, &con) < 0 &&
- errno != ENOTSUP) {
- virReportSystemError(errno,
- _("Failed to query file context on %s"),
- root->src);
- goto cleanup;
- }
-#endif
/* XXX should we support gid=X for X!=5 for distros which use
* a different gid for tty? */
- if (virAsprintf(&opts,
"newinstance,ptmxmode=0666,mode=0620,gid=5%s%s%s",
- con ? ",context=\"" : "",
- con ? (const char *)con : "",
- con ? "\"" : "") < 0) {
+ if (virAsprintf(&opts,
"newinstance,ptmxmode=0666,mode=0620,gid=5%s",
+ (mount_options ? mount_options : "")) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1607,6 +1590,7 @@ lxcControllerRun(virDomainDefPtr def,
monitor = client = -1;
cleanup:
+ VIR_FREE(mount_options);
VIR_FREE(devptmx);
VIR_FREE(devpts);
VIR_FORCE_CLOSE(control[0]);
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 42d1d94..1cbb839 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -2533,6 +2533,7 @@ error:
static int
lxcSecurityInit(lxc_driver_t *driver)
{
+ VIR_INFO("lxcSecurityInit %s", driver->securityDriverName);
virSecurityManagerPtr mgr = virSecurityManagerNew(LXC_DRIVER_NAME,
driver->securityDriverName,
false,
--
1.7.10.1