From 9ecbd38c4c4a582bc17749b97c4641ee80f42d75 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 7 Oct 2013 13:12:15 +0100
Subject: [PATCH] Skip any files which are not mounted on the host

Currently the LXC container tries to skip selinux/securityfs
mounts if the directory does not exist in the filesystem,
or if SELinux is disabled.

The former check is flawed because the /sys/fs/selinux
or /sys/kernel/securityfs directories may exist in sysfs
even if the mount type is disabled. Instead of just doing
an access() check, use an virFileIsMounted() to see if
the FS is actually present in the host OS. This also
avoids the need to check is_selinux_enabled().

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 src/lxc/lxc_container.c | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index ab394d1145..c000a824aa 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -756,15 +756,16 @@ typedef struct {
     const char *type;
     int mflags;
     bool skipUserNS;
+    bool skipUnmounted;
 } virLXCBasicMountInfo;
 
 static const virLXCBasicMountInfo lxcBasicMounts[] = {
-    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false },
-    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false },
-    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
+    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
+    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
+    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
+    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
 #if WITH_SELINUX
-    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
+    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
 #endif
 };
 
@@ -851,16 +852,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
         VIR_DEBUG("Processing %s -> %s",
                   mnt->src, mnt->dst);
 
-        /* Skip if mount doesn't exist in source */
-        if ((mnt->src[0] == '/') &&
-            (access(mnt->src, R_OK) < 0))
-            continue;
+        if (mnt->skipUnmounted) {
+            char *hostdir;
+            int ret;
 
-#if WITH_SELINUX
-        if (STREQ(mnt->src, SELINUX_MOUNT) &&
-            !is_selinux_enabled())
-            continue;
-#endif
+            if (virAsprintf(&hostdir, "/.oldroot%s", mnt->dst) < 0)
+                goto cleanup;
+
+            ret = virFileIsMountPoint(hostdir);
+            VIR_FREE(hostdir);
+            if (ret < 0)
+                goto cleanup;
+
+            if (ret == 0) {
+                VIR_DEBUG("Skipping '%s' which isn't mounted in host",
+                          mnt->dst);
+                continue;
+            }
+        }
 
         if (mnt->skipUserNS && userns_enabled) {
             VIR_DEBUG("Skipping due to user ns enablement");
-- 
GitLab