[lxc-devel] [PATCH] fix autodev on SELinux enabled systems

Dwight Engen dwight.engen at oracle.com
Fri Feb 13 04:34:59 UTC 2015


On Thu, 12 Feb 2015 23:39:48 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > commit 87da4ec3 changed autodev such that device nodes are created
> > in a small tmpfs, rather than in a subdirectory of /dev. This
> > causes a problem on an SELinux enabled host since the device nodes
> > will have a context type of user_tmp_t. By labeling the tmpfs with
> > device_t, udevd will assign the autodev created devices with the
> > correct labels (ie. null_device_t for /dev/null).
> > 
> > The bad labels were causing things like dhclient to fail in the
> > container since they couldn't access /dev/null.
> > 
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> 
> Thanks.  A few questions,
> 
> > ---
> >  src/lxc/conf.c        | 10 ++++++++--
> >  src/lxc/lsm/lsm.c     | 11 +++++++++++
> >  src/lxc/lsm/lsm.h     |  3 +++
> >  src/lxc/lsm/selinux.c | 19 ++++++++++++++++---
> >  4 files changed, 38 insertions(+), 5 deletions(-)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 2868708..9a826ce 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1132,7 +1132,7 @@ static int mount_autodev(const char *name,
> > char *root, const char *lxcpath) {
> >  	int ret;
> >  	size_t clen;
> > -	char *path;
> > +	char *path,*mnt_opts;
> >  
> >  	INFO("Mounting /dev under %s", root);
> >  
> > @@ -1150,7 +1150,13 @@ static int mount_autodev(const char *name,
> > char *root, const char *lxcpath) return 0;
> >  	}
> >  
> > -	if (mount("none", path, "tmpfs", 0,
> > "size=100000,mode=755")) {
> > +	if (asprintf(&mnt_opts, "size=100000,mode=755%s",
> 
> Anyone know offhand - is asprintf available on android?

Not sure, but asprintf is already used in lxc_execute.c and lxc_start.c
so I figured it was safe :)
 
> > +		     lsm_autodev_mount_opts()) < 0)
> > +		return -1;
> > +
> > +	ret = mount("none", path, "tmpfs", 0, mnt_opts);
> > +	free(mnt_opts);
> > +	if (ret) {
> >  		SYSERROR("Failed mounting tmpfs onto %s\n", path);
> >  		return false;
> >  	}
> > diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > index 79f837f..400e689 100644
> > --- a/src/lxc/lsm/lsm.c
> > +++ b/src/lxc/lsm/lsm.c
> > @@ -95,4 +95,15 @@ int lsm_process_label_set(const char *label,
> > struct lxc_conf *conf, return drv->process_label_set(label, conf,
> > use_default, on_exec); }
> >  
> > +char *lsm_autodev_mount_opts(void)
> > +{
> > +	if (!drv) {
> > +		ERROR("LSM driver not inited");
> > +		return "";
> > +	}
> > +	if (drv->autodev_mount_opts)
> > +		return drv->autodev_mount_opts();
> > +	return "";
> > +}
> > +
> >  #endif
> > diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> > index d6a7aac..8739674 100644
> > --- a/src/lxc/lsm/lsm.h
> > +++ b/src/lxc/lsm/lsm.h
> > @@ -35,6 +35,7 @@ struct lsm_drv {
> >  	char *(*process_label_get)(pid_t pid);
> >  	int   (*process_label_set)(const char *label, struct
> > lxc_conf *conf, int use_default, int on_exec);
> > +	char *(*autodev_mount_opts)(void);
> >  };
> >  
> >  #if HAVE_APPARMOR || HAVE_SELINUX
> > @@ -44,6 +45,7 @@ const char *lsm_name(void);
> >  char       *lsm_process_label_get(pid_t pid);
> >  int         lsm_process_label_set(const char *label, struct
> > lxc_conf *conf, int use_default, int on_exec);
> > +char       *lsm_autodev_mount_opts(void);
> >  #else
> >  static inline void        lsm_init(void) { }
> >  static inline int         lsm_enabled(void) { return 0; }
> > @@ -51,6 +53,7 @@ static inline const char *lsm_name(void) { return
> > "none"; } static inline char       *lsm_process_label_get(pid_t
> > pid) { return NULL; } static inline int
> > lsm_process_label_set(const char *label, struct lxc_conf *conf, int
> > use_default, int on_exec) { return 0; } +static inline char
> > *lsm_autodev_mount_opts(void) { return ""; } #endif
> >  
> >  #endif
> > diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> > index 46554d8..0bdcf90 100644
> > --- a/src/lxc/lsm/selinux.c
> > +++ b/src/lxc/lsm/selinux.c
> > @@ -100,11 +100,24 @@ static int selinux_process_label_set(const
> > char *inlabel, struct lxc_conf *conf, return 0;
> >  }
> >  
> > +/*
> > + * selinux_autodev_mount_opts: Set SELinux context for autodev's
> > tmpfs
> > + *
> > + * Returns the mount option for setting context on filesystem
> > mount. The tmpfs
> > + * has to be labeled with device_t so that udevd will give the
> > nodes
> > + * that autodev creates in it the proper labels.
> > + */
> > +static char *selinux_autodev_mount_opts(void)
> > +{
> > +	return strdup(",fscontext=system_u:object_r:device_t:s0");
> 
> This allocation will be lost, won't it?

Yes good catch. This is because earlier I thought I needed a modifiable
string. Looks like it can actually return a const char *.

> Also, what will this do to nested containers?  Can any user mount a
> tmpfs with those contexts?

I don't have nested containers to test with here so I'm not sure.
After further testing I noticed that this method doesn't work on
my older OL6.x host, the autodev nodes end up as device_t just like the
directory instead of their proper contexts so I'm not sure this is
enough to wholly fix the problem. If you know of a better way to get
the contexts set correctly I'd be happy to change the patch.

> Is s0 always an ok category?

I think so, the full context is the same as that on regular /dev.
 
> > +}
> > +
> >  static struct lsm_drv selinux_drv = {
> >  	.name = "SELinux",
> > -	.enabled           = is_selinux_enabled,
> > -	.process_label_get = selinux_process_label_get,
> > -	.process_label_set = selinux_process_label_set,
> > +	.enabled            = is_selinux_enabled,
> > +	.process_label_get  = selinux_process_label_get,
> > +	.process_label_set  = selinux_process_label_set,
> > +	.autodev_mount_opts = selinux_autodev_mount_opts,
> >  };
> >  
> >  struct lsm_drv *lsm_selinux_drv_init(void)
> > -- 
> > 1.9.3
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list