#include <unistd.h>
#include <mntent.h>
-#if HAVE_SELINUX
-# include <selinux/selinux.h>
-#endif
-
/* Yes, we want linux private one, for _syscall2() macro */
#include <linux/unistd.h>
}
-static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot)
+static int lxcContainerMountBasicFS(virDomainDefPtr def,
+ const char *srcprefix,
+ bool pivotRoot,
+ virSecurityManagerPtr securityDriver)
{
const struct {
bool needPrefix;
};
int i, rc = -1;
char *opts = NULL;
-#if HAVE_SELINUX
- security_context_t con;
-#endif
VIR_DEBUG("Mounting basic filesystems %s pivotRoot=%d", NULLSTR(srcprefix), pivotRoot);
}
if (pivotRoot) {
-#if HAVE_SELINUX
- if (getfilecon("/", &con) < 0 &&
- errno != ENOTSUP) {
- virReportSystemError(errno, "%s",
- _("Failed to query file context on /"));
- goto cleanup;
- }
-#endif
/*
* tmpfs is limited to 64kb, since we only have device nodes in there
* and don't want to DOS the entire OS RAM usage
*/
-#if HAVE_SELINUX
- if (con)
- ignore_value(virAsprintf(&opts,
- "mode=755,size=65536,context=\"%s\"",
- (const char *)con));
- else
-#endif
- opts = strdup("mode=755,size=65536");
-
+ char *mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
+ ignore_value(virAsprintf(&opts,
+ "mode=755,size=65536%s",(mount_options ? mount_options : "")));
+ VIR_FREE(mount_options);
if (!opts) {
virReportOOMError();
goto cleanup;
static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
- size_t nttyPaths)
+ size_t nttyPaths,
+ virSecurityManagerPtr securityDriver)
{
/* Gives us a private root, leaving all parent OS mounts on /.oldroot */
if (lxcContainerPivotRoot(root) < 0)
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS("/.oldroot", true) < 0)
+ if (lxcContainerMountBasicFS(vmDef, "/.oldroot", true, securityDriver) < 0)
return -1;
/* Mounts /dev/pts */
/* Nothing mapped to /, we're using the main root,
but with extra stuff mapped in */
-static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef)
+static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
+ virSecurityManagerPtr securityDriver)
{
VIR_DEBUG("def=%p", vmDef);
/*
return -1;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(NULL, false) < 0)
+ if (lxcContainerMountBasicFS(vmDef, NULL, false, securityDriver) < 0)
return -1;
VIR_DEBUG("Mounting completed");
static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
virDomainFSDefPtr root,
char **ttyPaths,
- size_t nttyPaths)
+ size_t nttyPaths,
+ virSecurityManagerPtr securityDriver)
{
if (lxcContainerResolveSymlinks(vmDef) < 0)
return -1;
if (root)
- return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths);
+ return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, securityDriver);
else
- return lxcContainerSetupExtraMounts(vmDef);
+ return lxcContainerSetupExtraMounts(vmDef, securityDriver);
}
goto cleanup;
}
- if (lxcContainerSetupMounts(vmDef, root, argv->ttyPaths, argv->nttyPaths) < 0)
+ if (lxcContainerSetupMounts(vmDef, root,
+ argv->ttyPaths, argv->nttyPaths,
+ argv->securityDriver) < 0)
goto cleanup;
if (!virFileExists(vmDef->os.init)) {
# define NUMA_VERSION1_COMPATIBILITY 1
# include <numa.h>
#endif
-#if HAVE_SELINUX
-# include <selinux/selinux.h>
-#endif
#include "virterror_internal.h"
#include "logging.h"
size_t nloopDevs = 0;
int *loopDevs = NULL;
size_t i;
+ char *mount_options = NULL;
if (VIR_ALLOC_N(containerTtyFDs, nttyFDs) < 0) {
virReportOOMError();
* marked as shared
*/
if (root) {
-#if HAVE_SELINUX
- security_context_t con;
-#else
- bool con = false;
-#endif
+ mount_options = virSecurityManagerGetMountOptions(securityDriver, def);
char *opts;
VIR_DEBUG("Setting up private /dev/pts");
goto cleanup;
}
-#if HAVE_SELINUX
- if (getfilecon(root->src, &con) < 0 &&
- errno != ENOTSUP) {
- virReportSystemError(errno,
- _("Failed to query file context on %s"),
- root->src);
- goto cleanup;
- }
-#endif
/* XXX should we support gid=X for X!=5 for distros which use
* a different gid for tty? */
- if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s%s%s",
- con ? ",context=\"" : "",
- con ? (const char *)con : "",
- con ? "\"" : "") < 0) {
+ if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
+ (mount_options ? mount_options : "")) < 0) {
virReportOOMError();
goto cleanup;
}
monitor = client = -1;
cleanup:
+ VIR_FREE(mount_options);
VIR_FREE(devptmx);
VIR_FREE(devpts);
VIR_FORCE_CLOSE(control[0]);
projects / libvirt.git / commitdiff