Honour filesystem readonly flag & make special FS readonly

A container should not be allowed to modify stuff in /sys or /proc/sys so make them readonly. Make /selinux readonly so that containers think that selinux is disabled. Honour the readonly flag when mounting container filesystems from the guest XML config * src/lxc/lxc_container.c: Support readonly mounts

Honour filesystem readonly flag & make special FS readonly
A container should not be allowed to modify stuff in /sys or /proc/sys so make them readonly. Make /selinux readonly so that containers think that selinux is disabled. Honour the readonly flag when mounting container filesystems from the guest XML config * src/lxc/lxc_container.c: Support readonly mounts
b3ad9b9b · Daniel P. Berrange · 6d37888e · b3ad9b9b
隐藏空白更改
内联并排

Showing with 29 addition and 0 deletion

src/lxc/lxc_container.c src/lxc/lxc_container.c +29 -0

未找到文件。
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -363,6 +363,15 @@ static int lxcContainerPivotRoot(virDomainFSDefPtr root)
        goto err;
    }

+    if (root->readonly) {
+        if (mount(root->src, newroot, NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to make new root %s readonly"),
+                                 root->src);
+            goto err;
+        }
+    }
+
    /* Now we chroot into the tmpfs, then pivot into the
     * root->src bind-mounted onto '/new' */
    if (chdir(newroot) < 0) {
@@ -403,11 +412,20 @@ static int lxcContainerMountBasicFS(const char *srcprefix)
        const char *opts;
        int mflags;
    } mnts[] = {
+        /* When we want to make a bind mount readonly, for unknown reasons,
+         * it is currently neccessary to bind it once, and then remount the
+         * bind with the readonly flag. If this is not done, then the original
+         * mount point in the main OS becomes readonly too which si not what
+         * we want. Hence some things have two entries here.
+         */
        { false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID },
        { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
        { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
+        { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
        { true, "/sys", "/sys", NULL, NULL, MS_BIND },
+        { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
        { true, "/selinux", "/selinux", NULL, NULL, MS_BIND },
+        { true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
    };
    int i, rc = -1;

@@ -573,6 +591,17 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
        goto cleanup;
    }

+    if (fs->readonly) {
+        VIR_DEBUG("Binding %s readonly", fs->dst);
+        if (mount(fs->dst, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to make directory %s readonly"),
+                                 fs->dst);
+            goto cleanup;
+        }
+
+    }
+
    ret = 0;

    VIR_DEBUG("Done mounting filesystem ret=%d", ret);