[libvirt] [PATCH] Change label of fusefs mounted at /proc/meminfo in lxc containers

Daniel P. Berrange berrange at redhat.com
Thu May 16 16:09:03 UTC 2013 

On Thu, May 16, 2013 at 05:04:06PM +0100, Daniel P. Berrange wrote:
> On Wed, May 15, 2013 at 10:35:48AM -0400, dwalsh at redhat.com wrote:
> > From: Dan Walsh <dwalsh at redhat.com>
> > 
> > We do not want to allow contained applications to be able to read fusefs_t.
> > So we want /proc/meminfo label to match the system default proc_t.
> > 
> > Fix checking of error codes
> > ---
> >  src/lxc/lxc_container.c | 24 ++++++++++++++++++++++++
> >  1 file changed, 24 insertions(+)
> > 
> > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > index 8e1d10a..8c0edb0 100644
> > --- a/src/lxc/lxc_container.c
> > +++ b/src/lxc/lxc_container.c
> > @@ -52,6 +52,10 @@
> >  # include <blkid/blkid.h>
> >  #endif
> >  
> > +#if WITH_SELINUX
> > +# include <selinux/selinux.h>
> > +#endif
> > +
> >  #include "virerror.h"
> >  #include "virlog.h"
> >  #include "lxc_container.h"
> > @@ -761,6 +765,26 @@ static int lxcContainerMountProcFuse(virDomainDefPtr def,
> >                             def->name)) < 0)
> >          return ret;
> >  
> > +#if WITH_SELINUX
> > +    if (is_selinux_enabled() > 0) {
> > +        security_context_t scon;
> > +        ret = getfilecon("/proc/meminfo", &scon);
> > +        if (ret < 0) {
> > +            virReportSystemError(errno,
> > +                                 _("Failed to get security context of %s for /proc/meminfo mount point"),
> > +                                 meminfo_path);
> > +            return ret;
> > +        }
> > +        ret = setfilecon(meminfo_path, scon);
> > +        freecon(scon);
> > +        if (ret < 0) {
> > +            virReportSystemError(errno,
> > +                                 _("Failed to set security context of %s for /proc/meminfo mount point"),
> > +                                 meminfo_path);
> 
> So I'm not unable to start any containers with this patch applied:
> 
> 2013-05-16 16:01:47.835+0000: 1: error : lxcContainerMountProcFuse:787 : Failed to set security context of /.oldroot//run/libvirt/lxc/busy.fuse/meminfo for /proc/meminfo mount point: Operation not supported
> 
> 
> What distro + kernel version did you test this with ?  I'm using current
> F19 with kernel 3.9.0-0.rc8.git0.2.fc19.x86_64 when I see the failure

Indeed, even trying to change it manually fails

# chcon system_u:object_r:proc_t:s0 /proc/8180/root/proc/meminfo
chcon: failed to change context of ‘/proc/8180/root/proc/meminfo’ to ‘system_u:object_r:proc_t:s0’: Operation not supported



Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list