render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
Source Code
GIT

Blame SOURCES/libvirt-LXC-Ensure-security-context-is-set-when-mounting-images.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   898951046de070a95aa510fe09a309f7626c5343
  2.   SOURCES
  3.   libvirt-LXC-Ensure-security-context-is-set-when-mounting-images.patch
Blob History Raw
c401cc 
From 459f9047c9a4ee9b418a9a60467c45e27376af5d Mon Sep 17 00:00:00 2001
c401cc 
Message-Id: <459f9047c9a4ee9b418a9a60467c45e27376af5d.1386348946.git.jdenemar@redhat.com>
c401cc 
From: "Daniel P. Berrange" <berrange@redhat.com>
c401cc 
Date: Mon, 2 Dec 2013 13:40:33 +0000
c401cc 
Subject: [PATCH] LXC: Ensure security context is set when mounting images
c401cc
c401cc 
For
c401cc
c401cc 
  https://bugzilla.redhat.com/show_bug.cgi?id=923903
c401cc
c401cc 
When setting up filesystems backed by block devices or file
c401cc 
images, the SELinux mount options must be used to ensure the
c401cc 
correct context is set
c401cc
c401cc 
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
c401cc 
(cherry picked from commit 262157f6510d5be327d6f6ed5152954cbb9d1e50)
c401cc 
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
c401cc 
---
c401cc 
 src/lxc/lxc_container.c | 36 +++++++++++++++++++++---------------
c401cc 
 1 file changed, 21 insertions(+), 15 deletions(-)
c401cc
c401cc 
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
c401cc 
index 3f54f82..9854b33 100644
c401cc 
--- a/src/lxc/lxc_container.c
c401cc 
+++ b/src/lxc/lxc_container.c
c401cc 
@@ -111,7 +111,8 @@ struct __lxc_child_argv {
c401cc 
 };
c401cc
c401cc 
 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
c401cc 
-                                    const char *srcprefix);
c401cc 
+                                    const char *srcprefix,
c401cc 
+                                    const char *sec_mount_options);
c401cc
c401cc
c401cc 
 /*
c401cc 
@@ -556,7 +557,8 @@ cleanup:
c401cc
c401cc
c401cc 
 static int lxcContainerPrepareRoot(virDomainDefPtr def,
c401cc 
-                                   virDomainFSDefPtr root)
c401cc 
+                                   virDomainFSDefPtr root,
c401cc 
+                                   const char *sec_mount_options)
c401cc 
 {
c401cc 
     char *dst;
c401cc 
     char *tmp;
c401cc 
@@ -586,7 +588,7 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def,
c401cc 
     tmp = root->dst;
c401cc 
     root->dst = dst;
c401cc
c401cc 
-    if (lxcContainerMountFSBlock(root, "") < 0) {
c401cc 
+    if (lxcContainerMountFSBlock(root, "", sec_mount_options) < 0) {
c401cc 
         root->dst = tmp;
c401cc 
         VIR_FREE(dst);
c401cc 
         return -1;
c401cc 
@@ -1183,7 +1185,8 @@ lxcContainerMountDetectFilesystem(const char *src ATTRIBUTE_UNUSED,
c401cc 
 static int lxcContainerMountFSBlockAuto(virDomainFSDefPtr fs,
c401cc 
                                         int fsflags,
c401cc 
                                         const char *src,
c401cc 
-                                        const char *srcprefix)
c401cc 
+                                        const char *srcprefix,
c401cc 
+                                        const char *sec_mount_options)
c401cc 
 {
c401cc 
     FILE *fp = NULL;
c401cc 
     int ret = -1;
c401cc 
@@ -1258,8 +1261,9 @@ retry:
c401cc 
             STREQ(type, "*"))
c401cc 
             gotStar = true;
c401cc
c401cc 
-        VIR_DEBUG("Trying mount %s with %s", src, type);
c401cc 
-        if (mount(src, fs->dst, type, fsflags, NULL) < 0) {
c401cc 
+        VIR_DEBUG("Trying mount '%s' on '%s' with '%s' opts '%s'",
c401cc 
+                  src, fs->dst, type, sec_mount_options);
c401cc 
+        if (mount(src, fs->dst, type, fsflags, sec_mount_options) < 0) {
c401cc 
             /* These errnos indicate a bogus filesystem type for
c401cc 
              * the image we have, so skip to the next type
c401cc 
              */
c401cc 
@@ -1310,7 +1314,8 @@ cleanup:
c401cc 
  */
c401cc 
 static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
c401cc 
                                           const char *src,
c401cc 
-                                          const char *srcprefix)
c401cc 
+                                          const char *srcprefix,
c401cc 
+                                          const char *sec_mount_options)
c401cc 
 {
c401cc 
     int fsflags = 0;
c401cc 
     int ret = -1;
c401cc 
@@ -1330,9 +1335,9 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
c401cc 
         goto cleanup;
c401cc
c401cc 
     if (format) {
c401cc 
-        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s'",
c401cc 
-                  src, fs->dst, format);
c401cc 
-        if (mount(src, fs->dst, format, fsflags, NULL) < 0) {
c401cc 
+        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s' opts '%s'",
c401cc 
+                  src, fs->dst, format, sec_mount_options);
c401cc 
+        if (mount(src, fs->dst, format, fsflags, sec_mount_options) < 0) {
c401cc 
             virReportSystemError(errno,
c401cc 
                                  _("Failed to mount device %s to %s as %s"),
c401cc 
                                  src, fs->dst, format);
c401cc 
@@ -1340,7 +1345,7 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
c401cc 
         }
c401cc 
         ret = 0;
c401cc 
     } else {
c401cc 
-        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix);
c401cc 
+        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix, sec_mount_options);
c401cc 
     }
c401cc
c401cc 
 cleanup:
c401cc 
@@ -1350,7 +1355,8 @@ cleanup:
c401cc
c401cc
c401cc 
 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
c401cc 
-                                    const char *srcprefix)
c401cc 
+                                    const char *srcprefix,
c401cc 
+                                    const char *sec_mount_options)
c401cc 
 {
c401cc 
     char *src = NULL;
c401cc 
     int ret = -1;
c401cc 
@@ -1360,7 +1366,7 @@ static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
c401cc 
     if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)
c401cc 
         goto cleanup;
c401cc
c401cc 
-    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix);
c401cc 
+    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix, sec_mount_options);
c401cc
c401cc 
     VIR_DEBUG("Done mounting filesystem ret=%d", ret);
c401cc
c401cc 
@@ -1422,7 +1428,7 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs,
c401cc 
             return -1;
c401cc 
         break;
c401cc 
     case VIR_DOMAIN_FS_TYPE_BLOCK:
c401cc 
-        if (lxcContainerMountFSBlock(fs, "/.oldroot") < 0)
c401cc 
+        if (lxcContainerMountFSBlock(fs, "/.oldroot", sec_mount_options) < 0)
c401cc 
             return -1;
c401cc 
         break;
c401cc 
     case VIR_DOMAIN_FS_TYPE_RAM:
c401cc 
@@ -1530,7 +1536,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
c401cc 
         goto cleanup;
c401cc
c401cc 
     /* Ensure the root filesystem is mounted */
c401cc 
-    if (lxcContainerPrepareRoot(vmDef, root) < 0)
c401cc 
+    if (lxcContainerPrepareRoot(vmDef, root, sec_mount_options) < 0)
c401cc 
         goto cleanup;
c401cc
c401cc 
     /* Gives us a private root, leaving all parent OS mounts on /.oldroot */
c401cc 
--
c401cc 
1.8.4.5
c401cc

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation