Change label of fusefs mounted at /proc/meminfo in lxc containers

We do not want to allow contained applications to be able to read fusefs_t. So we want /proc/meminfo label to match the system default proc_t. Fix checking of error codes

Change label of fusefs mounted at /proc/meminfo in lxc containers
We do not want to allow contained applications to be able to read fusefs_t. So we want /proc/meminfo label to match the system default proc_t. Fix checking of error codes
940c6f10 · Dan Walsh · Michal Privoznik · 7bb7510d · 940c6f10
隐藏空白更改
内联并排

Showing with 24 addition and 0 deletion

src/lxc/lxc_container.c src/lxc/lxc_container.c +24 -0

未找到文件。
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -52,6 +52,10 @@
 # include <blkid/blkid.h>
 #endif

+#if WITH_SELINUX
+# include <selinux/selinux.h>
+#endif
+
 #include "virerror.h"
 #include "virlog.h"
 #include "lxc_container.h"
@@ -756,6 +760,26 @@ static int lxcContainerMountProcFuse(virDomainDefPtr def)
                           def->name)) < 0)
        return ret;

+# if WITH_SELINUX
+    if (is_selinux_enabled() > 0) {
+        security_context_t scon;
+        ret = getfilecon("/proc/meminfo", &scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to get security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+        ret = setfilecon(meminfo_path, scon);
+        freecon(scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to set security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+    }
+# endif
    if ((ret = mount(meminfo_path, "/proc/meminfo",
                     NULL, MS_BIND, NULL)) < 0) {
        virReportSystemError(errno,