• D
    Apply security label when entering LXC namespaces · e4e69e89
    Daniel P. Berrange 提交于
    Add a new virDomainLxcEnterSecurityLabel() function as a
    counterpart to virDomainLxcEnterNamespaces(), which can
    change the current calling process to have a new security
    context. This call runs client side, not in libvirtd
    so we can't use the security driver infrastructure.
    
    When entering a namespace, the process spawned from virsh
    will default to running with the security label of virsh.
    The actual desired behaviour is to run with the security
    label of the container most of the time. So this changes
    virsh lxc-enter-namespace command to invoke the
    virDomainLxcEnterSecurityLabel method.
    
    The current behaviour is:
    
    LABEL                             PID TTY          TIME CMD
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
    staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps
    
    Note the ps command is running as unconfined_t,  After this patch,
    
    The new behaviour is this:
    
    virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
    LABEL                             PID TTY          TIME CMD
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
    system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps
    
    The '--noseclabel' flag can be used to skip security labelling.
    Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
    e4e69e89
generator.py 75.4 KB