[libvirt] These patches needed to mount the securityfs in containers.

Fri, 01 Feb 2013 08:20:11 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Simple patch to make sure /sys/kernel/security is mounted inside the
container.  Systemd attempts to use/mount this file system if it is not present.


One of these days I will figure out how to merge patches.

securityfs has to  be mounted after /sys...
Also want to mount it readonly.


(Sent patches to wrong list, originally)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEL6yUACgkQrlYvE4MpobOTuwCfWkrq/wiPQKPG4y69fIhjDqqr
riQAnis3qdRKzRJIpB4PbPGXTgR3nrKt
=D+T5
-----END PGP SIGNATURE-----

>From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwa...@redhat.com>
Date: Tue, 6 Nov 2012 13:26:50 -0500
Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for
 containers

---
 src/lxc/lxc_container.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8faa664..e06313e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
         { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
         { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
         { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
 #if HAVE_SELINUX
-- 
1.8.0



>From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwa...@redhat.com>
Date: Tue, 6 Nov 2012 15:07:21 -0500
Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the
 container

---
 src/lxc/lxc_container.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 17f685d..9030c27 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
         { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
         { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
-        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
         { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
 #if HAVE_SELINUX
         { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
         { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
-- 
1.8.0



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to