|
|
43fe83 |
From db465c684adb917f0751776b362ef7fd8a33b188 Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <db465c684adb917f0751776b362ef7fd8a33b188.1377873638.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: Dan Walsh <dwalsh@redhat.com>
|
|
|
43fe83 |
Date: Tue, 13 Aug 2013 11:37:29 +0100
|
|
|
43fe83 |
Subject: [PATCH] Ensure securityfs is mounted readonly in container
|
|
|
43fe83 |
|
|
|
43fe83 |
For https://bugzilla.redhat.com/show_bug.cgi?id=872642
|
|
|
43fe83 |
|
|
|
43fe83 |
If securityfs is available on the host, we should ensure to
|
|
|
43fe83 |
mount it read-only in the container. This will avoid systemd
|
|
|
43fe83 |
trying to mount it during startup causing SELinux AVCs.
|
|
|
43fe83 |
|
|
|
43fe83 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
43fe83 |
(cherry picked from commit 6807238d87fd93dee30038bea1e8582a5f0a9fe7)
|
|
|
43fe83 |
---
|
|
|
43fe83 |
src/lxc/lxc_container.c | 2 ++
|
|
|
43fe83 |
1 file changed, 2 insertions(+)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
|
|
|
43fe83 |
index b910b10..a943b22 100644
|
|
|
43fe83 |
--- a/src/lxc/lxc_container.c
|
|
|
43fe83 |
+++ b/src/lxc/lxc_container.c
|
|
|
43fe83 |
@@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
|
|
|
43fe83 |
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
|
|
43fe83 |
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
|
|
43fe83 |
{ "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
|
|
43fe83 |
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
|
|
43fe83 |
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
|
|
43fe83 |
#if WITH_SELINUX
|
|
|
43fe83 |
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
|
|
|
43fe83 |
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.3.2
|
|
|
43fe83 |
|