return drv->process_label_set(label, use_default, on_exec);
}
-/*
- * _lsm_mount_proc: Mount /proc inside container to enable
- * security domain transition
- *
- * @rootfs : the rootfs where proc should be mounted
- *
- * Returns < 0 on failure, 0 if the correct proc was already mounted
- * and 1 if a new proc was mounted.
- */
-static int _lsm_proc_mount(const char *rootfs)
-{
- char path[MAXPATHLEN];
- char link[20];
- int linklen, ret;
-
- ret = snprintf(path, MAXPATHLEN, "%s/proc/self", rootfs);
- if (ret < 0 || ret >= MAXPATHLEN) {
- SYSERROR("proc path name too long");
- return -1;
- }
- memset(link, 0, 20);
- linklen = readlink(path, link, 20);
- INFO("I am %d, /proc/self points to '%s'", getpid(), link);
- ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs);
- if (linklen < 0) /* /proc not mounted */
- goto domount;
- /* can't be longer than rootfs/proc/1 */
- if (strncmp(link, "1", linklen) != 0) {
- /* wrong /procs mounted */
- umount2(path, MNT_DETACH); /* ignore failure */
- goto domount;
- }
- /* the right proc is already mounted */
- return 0;
-
-domount:
- if (mount("proc", path, "proc", 0, NULL))
- return -1;
- INFO("Mounted /proc in container for security transition");
- return 1;
-}
-
-int lsm_proc_mount(struct lxc_conf *lxc_conf)
-{
- int mounted;
-
- if (!drv || strcmp(drv->name, "nop") == 0)
- return 0;
-
- if (lxc_conf->rootfs.path == NULL || strlen(lxc_conf->rootfs.path) == 0) {
- if (mount("proc", "/proc", "proc", 0, NULL)) {
- SYSERROR("Failed mounting /proc, proceeding");
- mounted = 0;
- } else
- mounted = 1;
- } else
- mounted = _lsm_proc_mount(lxc_conf->rootfs.mount);
- if (mounted == -1) {
- SYSERROR("failed to mount /proc in the container.");
- return -1;
- } else if (mounted == 1) {
- lxc_conf->lsm_umount_proc = 1;
- }
- return 0;
-}
-
-void lsm_proc_unmount(struct lxc_conf *lxc_conf)
-{
- if (lxc_conf->lsm_umount_proc == 1) {
- umount("/proc");
- lxc_conf->lsm_umount_proc = 0;
- }
-}
#endif
projects / mirror_lxc.git / blobdiff