[libvirt] [PATCH] Mount fresh instance of sysfs in LXC
From: "Daniel P. Berrange" <berrange@redhat.com> Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it. * src/lxc/lxc_container.c: Mount fresh sysfs instance --- src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY }, #if HAVE_SELINUX { true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND }, { true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, -- 1.7.10.1
On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance --- src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/10/2012 04:25 PM, Eric Blake wrote:
On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance --- src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
ACK.
I have been testing this and it is working correctly now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+sKAwACgkQrlYvE4MpobOC1QCfeMOTUX9B60JkLhEn49/+Af3Z wboAn3AzoUL1n3eoQOW2MO58leX7/Nzw =47G8 -----END PGP SIGNATURE-----
On Thu, May 10, 2012 at 04:41:49PM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/10/2012 04:25 PM, Eric Blake wrote:
On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance --- src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
ACK.
I have been testing this and it is working correctly now.
While this works fine, I withdraw it in favour of a more complete patch posted in this series https://www.redhat.com/archives/libvir-list/2012-May/msg00671.html Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel J Walsh -
Daniel P. Berrange -
Eric Blake