From 459f9047c9a4ee9b418a9a60467c45e27376af5d Mon Sep 17 00:00:00 2001

Message-Id: <459f9047c9a4ee9b418a9a60467c45e27376af5d.1386348946.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Mon, 2 Dec 2013 13:40:33 +0000

Subject: [PATCH] LXC: Ensure security context is set when mounting images

For

  https://bugzilla.redhat.com/show_bug.cgi?id=923903

When setting up filesystems backed by block devices or file

images, the SELinux mount options must be used to ensure the

correct context is set

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit 262157f6510d5be327d6f6ed5152954cbb9d1e50)

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/lxc/lxc_container.c | 36 +++++++++++++++++++++---------------

 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c

index 3f54f82..9854b33 100644

--- a/src/lxc/lxc_container.c

+++ b/src/lxc/lxc_container.c

@@ -111,7 +111,8 @@ struct __lxc_child_argv {

 };

 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,

-                                    const char *srcprefix);

+                                    const char *srcprefix,

+                                    const char *sec_mount_options);

 /*

@@ -556,7 +557,8 @@ cleanup:

 static int lxcContainerPrepareRoot(virDomainDefPtr def,

-                                   virDomainFSDefPtr root)

+                                   virDomainFSDefPtr root,

+                                   const char *sec_mount_options)

 {

     char *dst;

     char *tmp;

@@ -586,7 +588,7 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def,

     tmp = root->dst;

     root->dst = dst;

-    if (lxcContainerMountFSBlock(root, "") < 0) {

+    if (lxcContainerMountFSBlock(root, "", sec_mount_options) < 0) {

         root->dst = tmp;

         VIR_FREE(dst);

         return -1;

@@ -1183,7 +1185,8 @@ lxcContainerMountDetectFilesystem(const char *src ATTRIBUTE_UNUSED,

 static int lxcContainerMountFSBlockAuto(virDomainFSDefPtr fs,

                                         int fsflags,

                                         const char *src,

-                                        const char *srcprefix)

+                                        const char *srcprefix,

+                                        const char *sec_mount_options)

 {

     FILE *fp = NULL;

     int ret = -1;

@@ -1258,8 +1261,9 @@ retry:

             STREQ(type, "*"))

             gotStar = true;

-        VIR_DEBUG("Trying mount %s with %s", src, type);

-        if (mount(src, fs->dst, type, fsflags, NULL) < 0) {

+        VIR_DEBUG("Trying mount '%s' on '%s' with '%s' opts '%s'",

+                  src, fs->dst, type, sec_mount_options);

+        if (mount(src, fs->dst, type, fsflags, sec_mount_options) < 0) {

             /* These errnos indicate a bogus filesystem type for

              * the image we have, so skip to the next type

              */

@@ -1310,7 +1314,8 @@ cleanup:

  */

 static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,

                                           const char *src,

-                                          const char *srcprefix)

+                                          const char *srcprefix,

+                                          const char *sec_mount_options)

 {

     int fsflags = 0;

     int ret = -1;

@@ -1330,9 +1335,9 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,

         goto cleanup;

     if (format) {

-        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s'",

-                  src, fs->dst, format);

-        if (mount(src, fs->dst, format, fsflags, NULL) < 0) {

+        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s' opts '%s'",

+                  src, fs->dst, format, sec_mount_options);

+        if (mount(src, fs->dst, format, fsflags, sec_mount_options) < 0) {

             virReportSystemError(errno,

                                  _("Failed to mount device %s to %s as %s"),

                                  src, fs->dst, format);

@@ -1340,7 +1345,7 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,

         }

         ret = 0;

     } else {

-        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix);

+        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix, sec_mount_options);

     }

 cleanup:

@@ -1350,7 +1355,8 @@ cleanup:

 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,

-                                    const char *srcprefix)

+                                    const char *srcprefix,

+                                    const char *sec_mount_options)

 {

     char *src = NULL;

     int ret = -1;

@@ -1360,7 +1366,7 @@ static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,

     if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)

         goto cleanup;

-    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix);

+    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix, sec_mount_options);

     VIR_DEBUG("Done mounting filesystem ret=%d", ret);

@@ -1422,7 +1428,7 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs,

             return -1;

         break;

     case VIR_DOMAIN_FS_TYPE_BLOCK:

-        if (lxcContainerMountFSBlock(fs, "/.oldroot") < 0)

+        if (lxcContainerMountFSBlock(fs, "/.oldroot", sec_mount_options) < 0)

             return -1;

         break;

     case VIR_DOMAIN_FS_TYPE_RAM:

@@ -1530,7 +1536,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,

         goto cleanup;

     /* Ensure the root filesystem is mounted */

-    if (lxcContainerPrepareRoot(vmDef, root) < 0)

+    if (lxcContainerPrepareRoot(vmDef, root, sec_mount_options) < 0)

         goto cleanup;

     /* Gives us a private root, leaving all parent OS mounts on /.oldroot */

-- 

1.8.4.5