[libvirt] [PATCH] Ensure securityfs is mounted readonly in container

From: Dan Walsh <dwalsh@redhat.com> If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b10..a943b22 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void) { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, #if WITH_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, -- 1.8.3.1

On 08/08/2013 05:52 AM, Daniel P. Berrange wrote:
From: Dan Walsh <dwalsh@redhat.com>
If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 2 ++ 1 file changed, 2 insertions(+)
ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 08/08/2013 07:52 PM, Daniel P. Berrange wrote:
From: Dan Walsh <dwalsh@redhat.com>
If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs.
As the result I read the codes of systemd,since this commit, systemd doesn't mount securityfs in container. commit c481f78be7d2620b417e453738ae1d65b576f67e Author: Lennart Poettering <lennart@poettering.net> Date: Tue Sep 18 12:05:47 2012 +0200 mount: don't mount securityfs in a container why this patch said "This will avoid systemd trying to mount it during startup" ?
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b10..a943b22 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void) { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, #if WITH_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
participants (3)
-
Daniel P. Berrange
-
Eric Blake
-
Gao feng