Ensure securityfs is mounted readonly in container

If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>

Ensure securityfs is mounted readonly in container
If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>
6807238d · Dan Walsh · Daniel P. Berrange · c4eb1206 · 6807238d
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

src/lxc/lxc_container.c src/lxc/lxc_container.c +2 -0

未找到文件。
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
        { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
        { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
        { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
 #if WITH_SELINUX
        { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
        { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },