Add flag to lxcBasicMounts to control use in user namespaces

Some mounts must be skipped if running inside a user namespace,
since the kernel forbids their use. Instead of strcmp'ing the
filesystem type in the body of the loop, set an explicit flag
in the lxcBasicMounts table.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 702d3f1a5e5f4c139128f50ce91b0282942ecae0..ab394d114589579b982c5e772627a2cd7c80705f 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -755,15 +755,16 @@ typedef struct {
     const char *dst;
     const char *type;
     int mflags;
+    bool skipUserNS;
 } virLXCBasicMountInfo;
 
 static const virLXCBasicMountInfo lxcBasicMounts[] = {
-    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY },
-    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
-    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
+    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
+    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false },
+    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false },
+    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
 #if WITH_SELINUX
-    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
+    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
 #endif
 };
 
@@ -857,12 +858,14 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
 
 #if WITH_SELINUX
         if (STREQ(mnt->src, SELINUX_MOUNT) &&
-            (!is_selinux_enabled() || userns_enabled))
+            !is_selinux_enabled())
             continue;
 #endif
 
-        if (STREQ(mnt->src, "securityfs") && userns_enabled)
+        if (mnt->skipUserNS && userns_enabled) {
+            VIR_DEBUG("Skipping due to user ns enablement");
             continue;
+        }
 
         if (virFileMakePath(mnt->dst) < 0) {
             virReportSystemError(errno,