[libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers

Richard Weinberger richard at nod.at
Tue Feb 11 22:51:26 UTC 2014


Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
to containers.
Currently it is not safe to allow a container access to a resource controller.

Signed-off-by: Richard Weinberger <richard at nod.at>
---
 src/lxc/lxc_container.c | 3 ++-
 src/util/vircgroup.c    | 5 ++++-
 src/util/vircgroup.h    | 3 ++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c6bdc8c..abd2db4 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1654,7 +1654,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
 
     /* Now we can re-mount the cgroups controllers in the
      * same configuration as before */
-    if (virCgroupIsolateMount(cgroup, "/.oldroot/", sec_mount_options) < 0)
+    if (virCgroupIsolateMount(cgroup, "/.oldroot/", sec_mount_options,
+        (1 << VIR_CGROUP_CONTROLLER_SYSTEMD)) < 0)
         goto cleanup;
 
     /* Mounts /dev */
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index b2666e8..c75de9f 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -3166,7 +3166,7 @@ virCgroupGetFreezerState(virCgroupPtr group, char **state)
 
 int
 virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
-                      const char *mountopts)
+                      const char *mountopts, int controllers)
 {
     int ret = -1;
     size_t i;
@@ -3197,6 +3197,9 @@ virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
     }
 
     for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {
+        if (!((1 << i) & controllers))
+            continue;
+
         if (!group->controllers[i].mountPoint)
             continue;
 
diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index 6e00f28..c005d28 100644
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -221,7 +221,8 @@ int virCgroupKillPainfully(virCgroupPtr group);
 
 int virCgroupIsolateMount(virCgroupPtr group,
                           const char *oldroot,
-                          const char *mountopts);
+                          const char *mountopts,
+                          int controllers);
 
 bool virCgroupSupportsCpuBW(virCgroupPtr cgroup);
 
-- 
1.8.4.5




More information about the libvir-list mailing list