[lxc-devel] [PATCH] fix autodev on SELinux enabled systems
Stéphane Graber
stgraber at ubuntu.com
Thu Feb 12 23:47:03 UTC 2015
On Thu, Feb 12, 2015 at 11:39:48PM +0000, Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > commit 87da4ec3 changed autodev such that device nodes are created
> > in a small tmpfs, rather than in a subdirectory of /dev. This causes a
> > problem on an SELinux enabled host since the device nodes will have a
> > context type of user_tmp_t. By labeling the tmpfs with device_t, udevd
> > will assign the autodev created devices with the correct labels (ie.
> > null_device_t for /dev/null).
> >
> > The bad labels were causing things like dhclient to fail in the container
> > since they couldn't access /dev/null.
> >
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
>
> Thanks. A few questions,
>
> > ---
> > src/lxc/conf.c | 10 ++++++++--
> > src/lxc/lsm/lsm.c | 11 +++++++++++
> > src/lxc/lsm/lsm.h | 3 +++
> > src/lxc/lsm/selinux.c | 19 ++++++++++++++++---
> > 4 files changed, 38 insertions(+), 5 deletions(-)
> >
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 2868708..9a826ce 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1132,7 +1132,7 @@ static int mount_autodev(const char *name, char *root, const char *lxcpath)
> > {
> > int ret;
> > size_t clen;
> > - char *path;
> > + char *path,*mnt_opts;
> >
> > INFO("Mounting /dev under %s", root);
> >
> > @@ -1150,7 +1150,13 @@ static int mount_autodev(const char *name, char *root, const char *lxcpath)
> > return 0;
> > }
> >
> > - if (mount("none", path, "tmpfs", 0, "size=100000,mode=755")) {
> > + if (asprintf(&mnt_opts, "size=100000,mode=755%s",
>
> Anyone know offhand - is asprintf available on android?
Grep seems to think that it is (both header and libc.so).
>
> > + lsm_autodev_mount_opts()) < 0)
> > + return -1;
> > +
> > + ret = mount("none", path, "tmpfs", 0, mnt_opts);
> > + free(mnt_opts);
> > + if (ret) {
> > SYSERROR("Failed mounting tmpfs onto %s\n", path);
> > return false;
> > }
> > diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > index 79f837f..400e689 100644
> > --- a/src/lxc/lsm/lsm.c
> > +++ b/src/lxc/lsm/lsm.c
> > @@ -95,4 +95,15 @@ int lsm_process_label_set(const char *label, struct lxc_conf *conf,
> > return drv->process_label_set(label, conf, use_default, on_exec);
> > }
> >
> > +char *lsm_autodev_mount_opts(void)
> > +{
> > + if (!drv) {
> > + ERROR("LSM driver not inited");
> > + return "";
> > + }
> > + if (drv->autodev_mount_opts)
> > + return drv->autodev_mount_opts();
> > + return "";
> > +}
> > +
> > #endif
> > diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> > index d6a7aac..8739674 100644
> > --- a/src/lxc/lsm/lsm.h
> > +++ b/src/lxc/lsm/lsm.h
> > @@ -35,6 +35,7 @@ struct lsm_drv {
> > char *(*process_label_get)(pid_t pid);
> > int (*process_label_set)(const char *label, struct lxc_conf *conf,
> > int use_default, int on_exec);
> > + char *(*autodev_mount_opts)(void);
> > };
> >
> > #if HAVE_APPARMOR || HAVE_SELINUX
> > @@ -44,6 +45,7 @@ const char *lsm_name(void);
> > char *lsm_process_label_get(pid_t pid);
> > int lsm_process_label_set(const char *label, struct lxc_conf *conf,
> > int use_default, int on_exec);
> > +char *lsm_autodev_mount_opts(void);
> > #else
> > static inline void lsm_init(void) { }
> > static inline int lsm_enabled(void) { return 0; }
> > @@ -51,6 +53,7 @@ static inline const char *lsm_name(void) { return "none"; }
> > static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
> > static inline int lsm_process_label_set(const char *label,
> > struct lxc_conf *conf, int use_default, int on_exec) { return 0; }
> > +static inline char *lsm_autodev_mount_opts(void) { return ""; }
> > #endif
> >
> > #endif
> > diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> > index 46554d8..0bdcf90 100644
> > --- a/src/lxc/lsm/selinux.c
> > +++ b/src/lxc/lsm/selinux.c
> > @@ -100,11 +100,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
> > return 0;
> > }
> >
> > +/*
> > + * selinux_autodev_mount_opts: Set SELinux context for autodev's tmpfs
> > + *
> > + * Returns the mount option for setting context on filesystem mount. The tmpfs
> > + * has to be labeled with device_t so that udevd will give the nodes
> > + * that autodev creates in it the proper labels.
> > + */
> > +static char *selinux_autodev_mount_opts(void)
> > +{
> > + return strdup(",fscontext=system_u:object_r:device_t:s0");
>
> This allocation will be lost, won't it?
>
> Also, what will this do to nested containers? Can any user mount a tmpfs with
> those contexts?
>
> Is s0 always an ok category?
>
> > +}
> > +
> > static struct lsm_drv selinux_drv = {
> > .name = "SELinux",
> > - .enabled = is_selinux_enabled,
> > - .process_label_get = selinux_process_label_get,
> > - .process_label_set = selinux_process_label_set,
> > + .enabled = is_selinux_enabled,
> > + .process_label_get = selinux_process_label_get,
> > + .process_label_set = selinux_process_label_set,
> > + .autodev_mount_opts = selinux_autodev_mount_opts,
> > };
> >
> > struct lsm_drv *lsm_selinux_drv_init(void)
> > --
> > 1.9.3
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150212/3d8013a9/attachment.sig>
More information about the lxc-devel
mailing list