[libvirt] [PATCH] Add --disable-securityfs configure option
Securityfs is not enabled on all kernels running libvirt containers. This patch introduces a configure option that can specify whether containers should mount securityfs in their rootfs. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> --- configure.ac | 8 ++++++++ src/lxc/lxc_container.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/configure.ac b/configure.ac index 553015a..b4351dd 100644 --- a/configure.ac +++ b/configure.ac @@ -111,6 +111,14 @@ then [Extra package version]) fi +dnl Enable securityfs mounts if necessary +AC_ARG_ENABLE([securityfs], + AS_HELP_STRING([--disable-securityfs], [Disable mounting securityfs from container domains])) + +AS_IF([test "x$enable_securityfs" != "xno"],[ + AC_DEFINE_UNQUOTED([WITH_SECURITYFS],[],[Securityfs present]) + ]) + dnl Required minimum versions of all libs we depend on LIBXML_REQUIRED="2.6.0" GNUTLS_REQUIRED="1.0.25" diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index c60f5d8..72f1e81 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -768,8 +768,10 @@ static const virLXCBasicMountInfo lxcBasicMounts[] = { { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, +#if WITH_SECURITYFS { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, +#endif #if WITH_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, @@ -872,8 +874,10 @@ static int lxcContainerMountBasicFS(bool userns_enabled) continue; #endif +#if WITH_SECURITYFS if (STREQ(mnt->src, "securityfs") && userns_enabled) continue; +#endif if (virFileMakePath(mnt->dst) < 0) { virReportSystemError(errno, -- 1.7.11.7
On Tue, Sep 24, 2013 at 12:53:12PM +0300, Bogdan Purcareata wrote:
Securityfs is not enabled on all kernels running libvirt containers. This patch introduces a configure option that can specify whether containers should mount securityfs in their rootfs.
It would be nicer to detect this at runtime, rather than fixing it at build time. eg check whether the filesystem is mounted on the host, and if not, then don't mount it in the container. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-----Original Message----- From: Daniel P. Berrange [mailto:berrange@redhat.com] Sent: Tuesday, September 24, 2013 1:15 PM To: Purcareata Bogdan-B43198 Cc: libvir-list@redhat.com Subject: Re: [libvirt] [PATCH] Add --disable-securityfs configure option
On Tue, Sep 24, 2013 at 12:53:12PM +0300, Bogdan Purcareata wrote:
Securityfs is not enabled on all kernels running libvirt containers. This patch introduces a configure option that can specify whether containers should mount securityfs in their rootfs.
It would be nicer to detect this at runtime, rather than fixing it at build time. eg check whether the filesystem is mounted on the host, and if not, then don't mount it in the container.
Isn't it better to detect it based on kernel filesystem support? I mean, instead of checking whether securityfs is mounted, check whether it's present in /proc/filesystems.
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Tue, Sep 24, 2013 at 10:28:23AM +0000, Purcareata Bogdan-B43198 wrote:
-----Original Message----- From: Daniel P. Berrange [mailto:berrange@redhat.com] Sent: Tuesday, September 24, 2013 1:15 PM To: Purcareata Bogdan-B43198 Cc: libvir-list@redhat.com Subject: Re: [libvirt] [PATCH] Add --disable-securityfs configure option
On Tue, Sep 24, 2013 at 12:53:12PM +0300, Bogdan Purcareata wrote:
Securityfs is not enabled on all kernels running libvirt containers. This patch introduces a configure option that can specify whether containers should mount securityfs in their rootfs.
It would be nicer to detect this at runtime, rather than fixing it at build time. eg check whether the filesystem is mounted on the host, and if not, then don't mount it in the container.
Isn't it better to detect it based on kernel filesystem support? I mean, instead of checking whether securityfs is mounted, check whether it's present in /proc/filesystems.
Yep, that would work too. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Bogdan Purcareata -
Daniel P. Berrange -
Purcareata Bogdan-B43198