From 459f9047c9a4ee9b418a9a60467c45e27376af5d Mon Sep 17 00:00:00 2001
Message-Id: <459f9047c9a4ee9b418a9a60467c45e27376af5d.1386348946.git.jdenemar@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 2 Dec 2013 13:40:33 +0000
Subject: [PATCH] LXC: Ensure security context is set when mounting images

For

  https://bugzilla.redhat.com/show_bug.cgi?id=923903

When setting up filesystems backed by block devices or file
images, the SELinux mount options must be used to ensure the
correct context is set

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 262157f6510d5be327d6f6ed5152954cbb9d1e50)
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/lxc/lxc_container.c | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 3f54f82..9854b33 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -111,7 +111,8 @@ struct __lxc_child_argv {
 };
 
 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
-                                    const char *srcprefix);
+                                    const char *srcprefix,
+                                    const char *sec_mount_options);
 
 
 /*
@@ -556,7 +557,8 @@ cleanup:
 
 
 static int lxcContainerPrepareRoot(virDomainDefPtr def,
-                                   virDomainFSDefPtr root)
+                                   virDomainFSDefPtr root,
+                                   const char *sec_mount_options)
 {
     char *dst;
     char *tmp;
@@ -586,7 +588,7 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def,
     tmp = root->dst;
     root->dst = dst;
 
-    if (lxcContainerMountFSBlock(root, "") < 0) {
+    if (lxcContainerMountFSBlock(root, "", sec_mount_options) < 0) {
         root->dst = tmp;
         VIR_FREE(dst);
         return -1;
@@ -1183,7 +1185,8 @@ lxcContainerMountDetectFilesystem(const char *src ATTRIBUTE_UNUSED,
 static int lxcContainerMountFSBlockAuto(virDomainFSDefPtr fs,
                                         int fsflags,
                                         const char *src,
-                                        const char *srcprefix)
+                                        const char *srcprefix,
+                                        const char *sec_mount_options)
 {
     FILE *fp = NULL;
     int ret = -1;
@@ -1258,8 +1261,9 @@ retry:
             STREQ(type, "*"))
             gotStar = true;
 
-        VIR_DEBUG("Trying mount %s with %s", src, type);
-        if (mount(src, fs->dst, type, fsflags, NULL) < 0) {
+        VIR_DEBUG("Trying mount '%s' on '%s' with '%s' opts '%s'",
+                  src, fs->dst, type, sec_mount_options);
+        if (mount(src, fs->dst, type, fsflags, sec_mount_options) < 0) {
             /* These errnos indicate a bogus filesystem type for
              * the image we have, so skip to the next type
              */
@@ -1310,7 +1314,8 @@ cleanup:
  */
 static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
                                           const char *src,
-                                          const char *srcprefix)
+                                          const char *srcprefix,
+                                          const char *sec_mount_options)
 {
     int fsflags = 0;
     int ret = -1;
@@ -1330,9 +1335,9 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
         goto cleanup;
 
     if (format) {
-        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s'",
-                  src, fs->dst, format);
-        if (mount(src, fs->dst, format, fsflags, NULL) < 0) {
+        VIR_DEBUG("Mount '%s' on '%s' with detected format '%s' opts '%s'",
+                  src, fs->dst, format, sec_mount_options);
+        if (mount(src, fs->dst, format, fsflags, sec_mount_options) < 0) {
             virReportSystemError(errno,
                                  _("Failed to mount device %s to %s as %s"),
                                  src, fs->dst, format);
@@ -1340,7 +1345,7 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs,
         }
         ret = 0;
     } else {
-        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix);
+        ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, srcprefix, sec_mount_options);
     }
 
 cleanup:
@@ -1350,7 +1355,8 @@ cleanup:
 
 
 static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
-                                    const char *srcprefix)
+                                    const char *srcprefix,
+                                    const char *sec_mount_options)
 {
     char *src = NULL;
     int ret = -1;
@@ -1360,7 +1366,7 @@ static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
     if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)
         goto cleanup;
 
-    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix);
+    ret = lxcContainerMountFSBlockHelper(fs, src, srcprefix, sec_mount_options);
 
     VIR_DEBUG("Done mounting filesystem ret=%d", ret);
 
@@ -1422,7 +1428,7 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs,
             return -1;
         break;
     case VIR_DOMAIN_FS_TYPE_BLOCK:
-        if (lxcContainerMountFSBlock(fs, "/.oldroot") < 0)
+        if (lxcContainerMountFSBlock(fs, "/.oldroot", sec_mount_options) < 0)
             return -1;
         break;
     case VIR_DOMAIN_FS_TYPE_RAM:
@@ -1530,7 +1536,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
         goto cleanup;
 
     /* Ensure the root filesystem is mounted */
-    if (lxcContainerPrepareRoot(vmDef, root) < 0)
+    if (lxcContainerPrepareRoot(vmDef, root, sec_mount_options) < 0)
         goto cleanup;
 
     /* Gives us a private root, leaving all parent OS mounts on /.oldroot */
-- 
1.8.4.5