[libvirt] [PATCH] Add --disable-securityfs configure option

Bogdan Purcareata bogdan.purcareata at freescale.com
Tue Sep 24 09:53:12 UTC 2013 

Securityfs is not enabled on all kernels running libvirt containers.
This patch introduces a configure option that can specify whether
containers should mount securityfs in their rootfs.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
---
 configure.ac            | 8 ++++++++
 src/lxc/lxc_container.c | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/configure.ac b/configure.ac
index 553015a..b4351dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,14 @@ then
                      [Extra package version])
 fi
 
+dnl Enable securityfs mounts if necessary
+AC_ARG_ENABLE([securityfs],
+	       AS_HELP_STRING([--disable-securityfs], [Disable mounting securityfs from container domains]))
+
+AS_IF([test "x$enable_securityfs" != "xno"],[
+       AC_DEFINE_UNQUOTED([WITH_SECURITYFS],[],[Securityfs present])
+      ])
+
 dnl Required minimum versions of all libs we depend on
 LIBXML_REQUIRED="2.6.0"
 GNUTLS_REQUIRED="1.0.25"
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c60f5d8..72f1e81 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -768,8 +768,10 @@ static const virLXCBasicMountInfo lxcBasicMounts[] = {
     { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
     { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
     { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+#if WITH_SECURITYFS
     { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
     { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+#endif
 #if WITH_SELINUX
     { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
     { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
@@ -872,8 +874,10 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
             continue;
 #endif
 
+#if WITH_SECURITYFS
         if (STREQ(mnt->src, "securityfs") && userns_enabled)
             continue;
+#endif
 
         if (virFileMakePath(mnt->dst) < 0) {
             virReportSystemError(errno,
-- 
1.7.11.7

More information about the libvir-list mailing list