jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Label the masked tmpfs with the mount label 

Currently if a confined container process tries to list these directories
AVC's are generated because they are labeled with external labels.  Adding
the mountlabel will remove these AVC's.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2018-03-09 14:29:06 -05:00
parent 9facb87f87
commit 43aea05946
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libcontainer/rootfs_linux.go
View File

@ -778,10 +778,10 @@ func remountReadonly(m *configs.Mount) error {
// mounts ( proc/kcore ).
// For files, maskPath bind mounts /dev/null over the top of the specified path.
// For directories, maskPath mounts read-only tmpfs over the top of the specified path.
func maskPath(path string) error {
func maskPath(path string, mountLabel string) error {
if err := unix.Mount("/dev/null", path, "", unix.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
if err == unix.ENOTDIR {
return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, "")
return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel))
}
return err
}

2
libcontainer/standard_init_linux.go
View File

@ -110,7 +110,7 @@ func (l *linuxStandardInit) Init() error {
}
}
for _, path := range l.config.Config.MaskPaths {
if err := maskPath(path); err != nil {
if err := maskPath(path, l.config.Config.MountLabel); err != nil {
return err
}
}