提交 6d5fdde3 编写于 作者: D Daniel P. Berrange

Remove duplicate entries in lxcBasicMounts array

Currently the lxcBasicMounts array has separate entries for
most mounts, to reflect that we must do a separate mount
operation to make mounts read-only. Remove the duplicate
entries and instead set the MS_RDONLY flag against the main
entry. Then change lxcContainerMountBasicFS to look for the
MS_RDONLY flag, mask it out & do a separate bind mount.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 f567a583
...@@ -758,22 +758,12 @@ typedef struct { ...@@ -758,22 +758,12 @@ typedef struct {
} virLXCBasicMountInfo; } virLXCBasicMountInfo;
static const virLXCBasicMountInfo lxcBasicMounts[] = { static const virLXCBasicMountInfo lxcBasicMounts[] = {
/* When we want to make a bind mount readonly, for unknown reasons,
* it is currently necessary to bind it once, and then remount the
* bind with the readonly flag. If this is not done, then the original
* mount point in the main OS becomes readonly too which is not what
* we want. Hence some things have two entries here.
*/
{ "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "/proc/sys", "/proc/sys", NULL, MS_BIND }, { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY },
{ "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "securityfs", "/sys/kernel/security", "securityfs", MS_BIND|MS_REMOUNT|MS_RDONLY },
#if WITH_SELINUX #if WITH_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
#endif #endif
}; };
...@@ -854,6 +844,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -854,6 +844,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
VIR_DEBUG("Mounting basic filesystems"); VIR_DEBUG("Mounting basic filesystems");
for (i = 0; i < ARRAY_CARDINALITY(lxcBasicMounts); i++) { for (i = 0; i < ARRAY_CARDINALITY(lxcBasicMounts); i++) {
bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i]; virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
VIR_DEBUG("Processing %s -> %s", VIR_DEBUG("Processing %s -> %s",
...@@ -880,13 +871,32 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -880,13 +871,32 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
goto cleanup; goto cleanup;
} }
/*
* We can't immediately set the MS_RDONLY flag when mounting filesystems
* because (in at least some kernel versions) this will propagate back
* to the original mount in the host OS, turning it readonly too. Thus
* we mount the filesystem in read-write mode initially, and then do a
* separate read-only bind mount on top of that.
*/
bindOverReadonly = !!(mnt->mflags & MS_RDONLY);
VIR_DEBUG("Mount %s on %s type=%s flags=%x", VIR_DEBUG("Mount %s on %s type=%s flags=%x",
mnt->src, mnt->dst, mnt->type, mnt->mflags); mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY);
if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags, NULL) < 0) { if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to mount %s on %s type %s flags=%x"), _("Failed to mount %s on %s type %s flags=%x"),
mnt->src, mnt->dst, NULLSTR(mnt->type), mnt->src, mnt->dst, NULLSTR(mnt->type),
mnt->mflags); mnt->mflags & ~MS_RDONLY);
goto cleanup;
}
if (bindOverReadonly &&
mount(mnt->src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"),
mnt->src, mnt->dst,
MS_BIND|MS_REMOUNT|MS_RDONLY);
goto cleanup; goto cleanup;
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册