Richard W.M. Jones
2014-Jan-28 16:21 UTC
[Libguestfs] [PATCH 1/2] daemon: If /selinux exists in the guest, bind-mount /sys/fs/selinux to there.
Commit 72afcf450a78b7e58f65b4a7aaf94d71cd25fca5 was partially
incorrect. If the guest userspace is expecting /selinux to exist,
then we should bind-mount /sys/fs/selinux from the appliance kernel
there.
---
daemon/command.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/daemon/command.c b/daemon/command.c
index 1aa1a52..939bf87 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -47,9 +47,10 @@ struct bind_state {
char *sysroot_dev;
char *sysroot_dev_pts;
char *sysroot_proc;
+ char *sysroot_selinux;
char *sysroot_sys;
char *sysroot_sys_fs_selinux;
- bool dev_ok, dev_pts_ok, proc_ok, sys_ok, sys_fs_selinux_ok;
+ bool dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok, sys_fs_selinux_ok;
};
struct resolver_state {
@@ -76,16 +77,18 @@ bind_mount (struct bind_state *bs)
bs->sysroot_dev = sysroot_path ("/dev");
bs->sysroot_dev_pts = sysroot_path ("/dev/pts");
bs->sysroot_proc = sysroot_path ("/proc");
+ bs->sysroot_selinux = sysroot_path ("/selinux");
bs->sysroot_sys = sysroot_path ("/sys");
bs->sysroot_sys_fs_selinux = sysroot_path ("/sys/fs/selinux");
if (bs->sysroot_dev == NULL || bs->sysroot_dev_pts == NULL ||
- bs->sysroot_proc == NULL || bs->sysroot_sys == NULL ||
- bs->sysroot_sys_fs_selinux == NULL) {
+ bs->sysroot_proc == NULL || bs->sysroot_selinux == NULL ||
+ bs->sysroot_sys == NULL || bs->sysroot_sys_fs_selinux == NULL) {
reply_with_perror ("malloc");
free (bs->sysroot_dev);
free (bs->sysroot_dev_pts);
free (bs->sysroot_proc);
+ free (bs->sysroot_selinux);
free (bs->sysroot_sys);
free (bs->sysroot_sys_fs_selinux);
return -1;
@@ -97,6 +100,11 @@ bind_mount (struct bind_state *bs)
bs->dev_pts_ok = r != -1;
r = command (NULL, NULL, str_mount, "--bind", "/proc",
bs->sysroot_proc, NULL);
bs->proc_ok = r != -1;
+ /* Note on the next line we have to bind-mount /sys/fs/selinux (appliance
+ * kernel) on top of /selinux (where guest is expecting selinux).
+ */
+ r = command (NULL, NULL, str_mount, "--bind",
"/sys/fs/selinux", bs->sysroot_selinux, NULL);
+ bs->selinux_ok = r != -1;
r = command (NULL, NULL, str_mount, "--bind", "/sys",
bs->sysroot_sys, NULL);
bs->sys_ok = r != -1;
r = command (NULL, NULL, str_mount, "--bind",
"/sys/fs/selinux", bs->sysroot_sys_fs_selinux, NULL);
@@ -121,6 +129,8 @@ free_bind_state (struct bind_state *bs)
free (bs->sysroot_sys_fs_selinux);
if (bs->sys_ok) umount_ignore_fail (bs->sysroot_sys);
free (bs->sysroot_sys);
+ if (bs->selinux_ok) umount_ignore_fail (bs->sysroot_selinux);
+ free (bs->sysroot_selinux);
if (bs->proc_ok) umount_ignore_fail (bs->sysroot_proc);
free (bs->sysroot_proc);
if (bs->dev_pts_ok) umount_ignore_fail (bs->sysroot_dev_pts);
--
1.8.4.2
Richard W.M. Jones
2014-Jan-28 16:21 UTC
[Libguestfs] [PATCH 2/2] daemon: Add a note about how 'mount --rbind' doesn't work.
---
daemon/command.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/daemon/command.c b/daemon/command.c
index 939bf87..1593de9 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -94,6 +94,10 @@ bind_mount (struct bind_state *bs)
return -1;
}
+ /* Note it is tempting to use --rbind here (to bind submounts).
+ * However I have not found a reliable way to unmount the same set
+ * of directories (umount -R does NOT work).
+ */
r = command (NULL, NULL, str_mount, "--bind", "/dev",
bs->sysroot_dev, NULL);
bs->dev_ok = r != -1;
r = command (NULL, NULL, str_mount, "--bind", "/dev/pts",
bs->sysroot_dev_pts, NULL);
--
1.8.4.2
Pino Toscano
2014-Jan-28 16:29 UTC
Re: [Libguestfs] [PATCH 1/2] daemon: If /selinux exists in the guest, bind-mount /sys/fs/selinux to there.
On Tuesday 28 January 2014 16:21:09 Richard W.M. Jones wrote:> Commit 72afcf450a78b7e58f65b4a7aaf94d71cd25fca5 was partially > incorrect. If the guest userspace is expecting /selinux to exist, > then we should bind-mount /sys/fs/selinux from the appliance kernel > there. > --- > daemon/command.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/daemon/command.c b/daemon/command.c > index 1aa1a52..939bf87 100644 > --- a/daemon/command.c > +++ b/daemon/command.c > @@ -47,9 +47,10 @@ struct bind_state { > char *sysroot_dev; > char *sysroot_dev_pts; > char *sysroot_proc; > + char *sysroot_selinux; > char *sysroot_sys; > char *sysroot_sys_fs_selinux; > - bool dev_ok, dev_pts_ok, proc_ok, sys_ok, sys_fs_selinux_ok; > + bool dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok, > sys_fs_selinux_ok; }; > > struct resolver_state { > @@ -76,16 +77,18 @@ bind_mount (struct bind_state *bs) > bs->sysroot_dev = sysroot_path ("/dev"); > bs->sysroot_dev_pts = sysroot_path ("/dev/pts"); > bs->sysroot_proc = sysroot_path ("/proc"); > + bs->sysroot_selinux = sysroot_path ("/selinux"); > bs->sysroot_sys = sysroot_path ("/sys"); > bs->sysroot_sys_fs_selinux = sysroot_path ("/sys/fs/selinux"); > > if (bs->sysroot_dev == NULL || bs->sysroot_dev_pts == NULL || > - bs->sysroot_proc == NULL || bs->sysroot_sys == NULL || > - bs->sysroot_sys_fs_selinux == NULL) { > + bs->sysroot_proc == NULL || bs->sysroot_selinux == NULL || > + bs->sysroot_sys == NULL || bs->sysroot_sys_fs_selinux == NULL) > { reply_with_perror ("malloc"); > free (bs->sysroot_dev); > free (bs->sysroot_dev_pts); > free (bs->sysroot_proc); > + free (bs->sysroot_selinux); > free (bs->sysroot_sys); > free (bs->sysroot_sys_fs_selinux); > return -1; > @@ -97,6 +100,11 @@ bind_mount (struct bind_state *bs) > bs->dev_pts_ok = r != -1; > r = command (NULL, NULL, str_mount, "--bind", "/proc", bs->sysroot_proc, NULL); > bs->proc_ok = r != -1; > + /* Note on the next line we have to bind-mount /sys/fs/selinux (appliance > + * kernel) on top of /selinux (where guest is expecting selinux). > + */ > + r = command (NULL, NULL, str_mount, "--bind", "/sys/fs/selinux", bs->sysroot_selinux, NULL); > + bs->selinux_ok = r != -1; > r = command (NULL, NULL, str_mount, "--bind", "/sys", bs->sysroot_sys, NULL); > bs->sys_ok = r != -1; > r = command (NULL, NULL, str_mount, "--bind", "/sys/fs/selinux", bs->sysroot_sys_fs_selinux, NULL);Possibly I'm missing something, but... given that later /sys/fs/selinux of the appliance is bind-mounted as /sys/fs/selinux into the sysroot, couldn't /selinux be created just as a /syslinux -> sys/fs/selinux symlink, to have a bind mount less? -- Pino Toscano
Richard W.M. Jones
2014-Jan-28 16:31 UTC
Re: [Libguestfs] [PATCH 1/2] daemon: If /selinux exists in the guest, bind-mount /sys/fs/selinux to there.
On Tue, Jan 28, 2014 at 05:29:16PM +0100, Pino Toscano wrote:> Possibly I'm missing something, but... given that later /sys/fs/selinux > of the appliance is bind-mounted as /sys/fs/selinux into the sysroot, > couldn't /selinux be created just as a /syslinux -> sys/fs/selinux > symlink, to have a bind mount less?/selinux already exists as a directory in the guest (else the bind-mount command will fail). Since it's in the guest filesystem, best not to go fiddling with it. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/
Seemingly Similar Threads
- Re: [PATCH 1/2] daemon: If /selinux exists in the guest, bind-mount /sys/fs/selinux to there.
- [PATCH v3 1/6] daemon: Rename daemon/command.c -> daemon/sh.c.
- [PATCH 0/2] Implement virt-builder --selinux-relabel option.
- [PATCH] If using SELinux, mount /selinux in the appliance
- missing chdir before chroot in guestfsd