libvirt: don't mount securityfs or selinux if userns enabled

commit 6807238d87fd [Ensure securityfs is mounted readonly in container] from upstream libvirt requires securityfs to be mounted, always. Failing to use a kernel without SECURITYFS support results in the following error when you attempt to start a lxc guest: error : lxcContainerMountBasicFS:807 : Failed to mkdir securityfs: No such file or directory Input/output error Here we apply an upstream fix for this which allows you to use userns support instead of SECURITYFS, by using <idmap> in your guest config. A similar situation exists for SELINUX so here we are bringing in 2 more upstream commits, the first for context and the second, which like the securityfs patch, doesn't force selinux to be mounted if userns is used. Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Cc: Bogdan Purcareata <bogdan.purcareata@freescale.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Mark Asselstine <mark.asselstine@windriver.com> 2013-10-02 21:17:13 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2013-10-03 22:41:33 -0400
commit: 7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5 (patch)
tree: ecc47fd2bc086909bda3421031214b7bdb77a262 /recipes-extended/libvirt
parent: 9f2c3fcf9e514d428a6aadad5bb229fd1c541cc7 (diff)
download: meta-virtualization-7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5.tar.gz
4 files changed, 250 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
new file mode 100644
index 00000000..40f8dd9b
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
@@ -0,0 +1,52 @@
+From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu, 5 Sep 2013 11:50:40 +0100
+Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled
+commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from
+git://libvirt.org/libvirt.git
+Right now, securityfs is disallowed to be mounted in non-initial
+user namespace, so we must avoid trying to mount securityfs in
+a container which has user namespace enabled.
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+---
+ src/lxc/lxc_container.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
+index 8abaea0..c41ab40 100644
+--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
+@@ -750,7 +750,7 @@ err:
+ }
+ 
+ 
+-static int lxcContainerMountBasicFS(void)
+static int lxcContainerMountBasicFS(bool userns_enabled)
+ {
+     const struct {
+         const char *src;
+@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
+             continue;
+ #endif
+ 
+        if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
+            continue;
+
+         if (virFileMakePath(mnts[i].dst) < 0) {
+             virReportSystemError(errno,
+                                  _("Failed to mkdir %s"),
+@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
+         goto cleanup;
+ 
+     /* Mounts the core /proc, /sys, etc filesystems */
+-    if (lxcContainerMountBasicFS() < 0)
+    if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
+         goto cleanup;
+ 
+     /* Mounts /proc/meminfo etc sysinfo */
+-- 
+1.8.1.2
diff --git a/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
new file mode 100644
index 00000000..f0582931
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
@@ -0,0 +1,48 @@
+From 1c7037cff42dde35913dde533b31ee1da8c2d6e0 Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu, 12 Sep 2013 11:51:31 +0800
+Subject: [PATCH] LXC: don't try to mount selinux filesystem when user namespace enabled
+commit 1c7037cff42dde35913dde533b31ee1da8c2d6e0 from
+git://libvirt.org/libvirt.git
+                                
+Right now we mount selinuxfs even user namespace is enabled and
+ignore the error. But we shouldn't ignore these errors when user
+namespace is not enabled.
+This patch skips mounting selinuxfs when user namespace enabled.
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+---
+ src/lxc/lxc_container.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
+index ddc6e3d..a979452 100644
+--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
+@@ -868,7 +868,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
+ 
+ #if WITH_SELINUX
+         if (STREQ(mnt->src, SELINUX_MOUNT) &&
+-            !is_selinux_enabled())
+            (!is_selinux_enabled() || userns_enabled))
+             continue;
+ #endif
+ 
+@@ -885,12 +885,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
+         VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
+                   srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
+         if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
+-#if WITH_SELINUX
+-            if (STREQ(mnt->src, SELINUX_MOUNT) &&
+-                (errno == EINVAL || errno == EPERM))
+-                continue;
+-#endif
+-
+             virReportSystemError(errno,
+                                  _("Failed to mount %s on %s type %s flags=%x opts=%s"),
+                                  srcpath, mnt->dst, NULLSTR(mnt->type),
+-- 
+1.8.1.2
diff --git a/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
new file mode 100644
index 00000000..2c7b0eed
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
@@ -0,0 +1,147 @@
+From f27f5f7eddf531159d791a2b5ac438ca011b5f26 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 10 Sep 2013 13:35:12 +0100
+Subject: [PATCH] Move array of mounts out of lxcContainerMountBasicFS
+commit f27f5f7eddf531159d791a2b5ac438ca011b5f26 from
+git://libvirt.org/libvirt.git
+Move the array of basic mounts out of the lxcContainerMountBasicFS
+function, to a global variable. This is to allow it to be referenced
+by other methods wanting to know what the basic mount paths are.
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ src/lxc/lxc_container.c | 79 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 42 insertions(+), 37 deletions(-)
+diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
+index 661ac52..6f241d3 100644
+--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
+@@ -750,45 +750,50 @@ err:
+ }
+ 
+ 
+-static int lxcContainerMountBasicFS(bool userns_enabled)
+-{
+-    const struct {
+-        const char *src;
+-        const char *dst;
+-        const char *type;
+-        const char *opts;
+-        int mflags;
+-    } mnts[] = {
+-        /* When we want to make a bind mount readonly, for unknown reasons,
+-         * it is currently necessary to bind it once, and then remount the
+-         * bind with the readonly flag. If this is not done, then the original
+-         * mount point in the main OS becomes readonly too which is not what
+-         * we want. Hence some things have two entries here.
+-         */
+-        { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+-        { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
+-        { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+-        { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+-        { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+-        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+-        { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+typedef struct {
+    const char *src;
+    const char *dst;
+    const char *type;
+    const char *opts;
+    int mflags;
+} virLXCBasicMountInfo;
+
+static const virLXCBasicMountInfo lxcBasicMounts[] = {
+    /* When we want to make a bind mount readonly, for unknown reasons,
+     * it is currently necessary to bind it once, and then remount the
+     * bind with the readonly flag. If this is not done, then the original
+     * mount point in the main OS becomes readonly too which is not what
+     * we want. Hence some things have two entries here.
+     */
+    { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+    { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
+    { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+    { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+    { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+    { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+    { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+ #if WITH_SELINUX
+-        { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+-        { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+    { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+ #endif
+-    };
+};
+
+
+static int lxcContainerMountBasicFS(bool userns_enabled)
+{
+     size_t i;
+     int rc = -1;
+ 
+     VIR_DEBUG("Mounting basic filesystems");
+ 
+-    for (i = 0; i < ARRAY_CARDINALITY(mnts); i++) {
+    for (i = 0; i < ARRAY_CARDINALITY(lxcBasicMounts); i++) {
+        virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
+         const char *srcpath = NULL;
+ 
+         VIR_DEBUG("Processing %s -> %s",
+-                  mnts[i].src, mnts[i].dst);
+                  mnt->src, mnt->dst);
+ 
+-        srcpath = mnts[i].src;
+        srcpath = mnt->src;
+ 
+         /* Skip if mount doesn't exist in source */
+         if ((srcpath[0] == '/') &&
+@@ -796,34 +801,34 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
+             continue;
+ 
+ #if WITH_SELINUX
+-        if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
+        if (STREQ(mnt->src, SELINUX_MOUNT) &&
+             !is_selinux_enabled())
+             continue;
+ #endif
+ 
+-        if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
+        if (STREQ(mnt->src, "securityfs") && userns_enabled)
+             continue;
+ 
+-        if (virFileMakePath(mnts[i].dst) < 0) {
+        if (virFileMakePath(mnt->dst) < 0) {
+             virReportSystemError(errno,
+                                  _("Failed to mkdir %s"),
+-                                 mnts[i].src);
+                                 mnt->src);
+             goto cleanup;
+         }
+ 
+         VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
+-                  srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts);
+-        if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) {
+                  srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
+        if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
+ #if WITH_SELINUX
+-            if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
+            if (STREQ(mnt->src, SELINUX_MOUNT) &&
+                 (errno == EINVAL || errno == EPERM))
+                 continue;
+ #endif
+ 
+             virReportSystemError(errno,
+                                  _("Failed to mount %s on %s type %s flags=%x opts=%s"),
+-                                 srcpath, mnts[i].dst, NULLSTR(mnts[i].type),
+-                                 mnts[i].mflags, NULLSTR(mnts[i].opts));
+                                 srcpath, mnt->dst, NULLSTR(mnt->type),
+                                 mnt->mflags, NULLSTR(mnt->opts));
+             goto cleanup;
+         }
+     }
+-- 
+1.8.1.2
diff --git a/recipes-extended/libvirt/libvirt_1.1.2.bb b/recipes-extended/libvirt/libvirt_1.1.2.bb
index cfb406dc..a12147a6 100644
--- a/recipes-extended/libvirt/libvirt_1.1.2.bb
+++ b/recipes-extended/libvirt/libvirt_1.1.2.bb
@@ -24,6 +24,9 @@ RCONFLICTS_${PN}_libvirtd = "connman"
 SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz \
           file://tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch \
+           file://LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch \
+           file://Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch \
+           file://LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch \
           file://libvirtd.sh \
           file://libvirtd.conf"
author	Mark Asselstine <mark.asselstine@windriver.com>	2013-10-02 21:17:13 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2013-10-03 22:41:33 -0400
commit	7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5 (patch)
tree	ecc47fd2bc086909bda3421031214b7bdb77a262 /recipes-extended/libvirt
parent	9f2c3fcf9e514d428a6aadad5bb229fd1c541cc7 (diff)
download	meta-virtualization-7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch new file mode 100644 index 00000000..40f8dd9b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
@@ -0,0 +1,52 @@
		1	From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001
		2	From: Gao feng <gaofeng@cn.fujitsu.com>
		3	Date: Thu, 5 Sep 2013 11:50:40 +0100
		4	Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled
		5
		6	commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from
		7	git://libvirt.org/libvirt.git
		8
		9	Right now, securityfs is disallowed to be mounted in non-initial
		10	user namespace, so we must avoid trying to mount securityfs in
		11	a container which has user namespace enabled.
		12
		13	Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
		14	---
		15	src/lxc/lxc_container.c \| 7 +++++--
		16	1 file changed, 5 insertions(+), 2 deletions(-)
		17
		18	diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
		19	index 8abaea0..c41ab40 100644
		20	--- a/src/lxc/lxc_container.c
		21	+++ b/src/lxc/lxc_container.c
		22	@@ -750,7 +750,7 @@ err:
		23	}
		24
		25
		26	-static int lxcContainerMountBasicFS(void)
		27	+static int lxcContainerMountBasicFS(bool userns_enabled)
		28	{
		29	const struct {
		30	const char *src;
		31	@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
		32	continue;
		33	#endif
		34
		35	+ if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
		36	+ continue;
		37	+
		38	if (virFileMakePath(mnts[i].dst) < 0) {
		39	virReportSystemError(errno,
		40	_("Failed to mkdir %s"),
		41	@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
		42	goto cleanup;
		43
		44	/* Mounts the core /proc, /sys, etc filesystems */
		45	- if (lxcContainerMountBasicFS() < 0)
		46	+ if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
		47	goto cleanup;
		48
		49	/* Mounts /proc/meminfo etc sysinfo */
		50	--
		51	1.8.1.2
		52


diff --git a/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch new file mode 100644 index 00000000..f0582931 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
@@ -0,0 +1,48 @@
		1	From 1c7037cff42dde35913dde533b31ee1da8c2d6e0 Mon Sep 17 00:00:00 2001
		2	From: Gao feng <gaofeng@cn.fujitsu.com>
		3	Date: Thu, 12 Sep 2013 11:51:31 +0800
		4	Subject: [PATCH] LXC: don't try to mount selinux filesystem when user namespace enabled
		5
		6	commit 1c7037cff42dde35913dde533b31ee1da8c2d6e0 from
		7	git://libvirt.org/libvirt.git
		8
		9	Right now we mount selinuxfs even user namespace is enabled and
		10	ignore the error. But we shouldn't ignore these errors when user
		11	namespace is not enabled.
		12
		13	This patch skips mounting selinuxfs when user namespace enabled.
		14
		15	Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
		16	---
		17	src/lxc/lxc_container.c \| 8 +-------
		18	1 file changed, 1 insertion(+), 7 deletions(-)
		19
		20	diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
		21	index ddc6e3d..a979452 100644
		22	--- a/src/lxc/lxc_container.c
		23	+++ b/src/lxc/lxc_container.c
		24	@@ -868,7 +868,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
		25
		26	#if WITH_SELINUX
		27	if (STREQ(mnt->src, SELINUX_MOUNT) &&
		28	- !is_selinux_enabled())
		29	+ (!is_selinux_enabled() \|\| userns_enabled))
		30	continue;
		31	#endif
		32
		33	@@ -885,12 +885,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
		34	VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
		35	srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
		36	if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
		37	-#if WITH_SELINUX
		38	- if (STREQ(mnt->src, SELINUX_MOUNT) &&
		39	- (errno == EINVAL \|\| errno == EPERM))
		40	- continue;
		41	-#endif
		42	-
		43	virReportSystemError(errno,
		44	_("Failed to mount %s on %s type %s flags=%x opts=%s"),
		45	srcpath, mnt->dst, NULLSTR(mnt->type),
		46	--
		47	1.8.1.2
		48


diff --git a/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch new file mode 100644 index 00000000..2c7b0eed --- /dev/null +++ b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
@@ -0,0 +1,147 @@
		1	From f27f5f7eddf531159d791a2b5ac438ca011b5f26 Mon Sep 17 00:00:00 2001
		2	From: "Daniel P. Berrange" <berrange@redhat.com>
		3	Date: Tue, 10 Sep 2013 13:35:12 +0100
		4	Subject: [PATCH] Move array of mounts out of lxcContainerMountBasicFS
		5
		6	commit f27f5f7eddf531159d791a2b5ac438ca011b5f26 from
		7	git://libvirt.org/libvirt.git
		8
		9	Move the array of basic mounts out of the lxcContainerMountBasicFS
		10	function, to a global variable. This is to allow it to be referenced
		11	by other methods wanting to know what the basic mount paths are.
		12
		13	Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
		14	---
		15	src/lxc/lxc_container.c \| 79 ++++++++++++++++++++++++++-----------------------
		16	1 file changed, 42 insertions(+), 37 deletions(-)
		17
		18	diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
		19	index 661ac52..6f241d3 100644
		20	--- a/src/lxc/lxc_container.c
		21	+++ b/src/lxc/lxc_container.c
		22	@@ -750,45 +750,50 @@ err:
		23	}
		24
		25
		26	-static int lxcContainerMountBasicFS(bool userns_enabled)
		27	-{
		28	- const struct {
		29	- const char *src;
		30	- const char *dst;
		31	- const char *type;
		32	- const char *opts;
		33	- int mflags;
		34	- } mnts[] = {
		35	- /* When we want to make a bind mount readonly, for unknown reasons,
		36	- * it is currently necessary to bind it once, and then remount the
		37	- * bind with the readonly flag. If this is not done, then the original
		38	- * mount point in the main OS becomes readonly too which is not what
		39	- * we want. Hence some things have two entries here.
		40	- */
		41	- { "proc", "/proc", "proc", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		42	- { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
		43	- { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		44	- { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		45	- { "sysfs", "/sys", "sysfs", NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		46	- { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		47	- { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		48	+typedef struct {
		49	+ const char *src;
		50	+ const char *dst;
		51	+ const char *type;
		52	+ const char *opts;
		53	+ int mflags;
		54	+} virLXCBasicMountInfo;
		55	+
		56	+static const virLXCBasicMountInfo lxcBasicMounts[] = {
		57	+ /* When we want to make a bind mount readonly, for unknown reasons,
		58	+ * it is currently necessary to bind it once, and then remount the
		59	+ * bind with the readonly flag. If this is not done, then the original
		60	+ * mount point in the main OS becomes readonly too which is not what
		61	+ * we want. Hence some things have two entries here.
		62	+ */
		63	+ { "proc", "/proc", "proc", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		64	+ { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
		65	+ { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		66	+ { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		67	+ { "sysfs", "/sys", "sysfs", NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		68	+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		69	+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		70	#if WITH_SELINUX
		71	- { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		72	- { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		73	+ { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV },
		74	+ { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY },
		75	#endif
		76	- };
		77	+};
		78	+
		79	+
		80	+static int lxcContainerMountBasicFS(bool userns_enabled)
		81	+{
		82	size_t i;
		83	int rc = -1;
		84
		85	VIR_DEBUG("Mounting basic filesystems");
		86
		87	- for (i = 0; i < ARRAY_CARDINALITY(mnts); i++) {
		88	+ for (i = 0; i < ARRAY_CARDINALITY(lxcBasicMounts); i++) {
		89	+ virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
		90	const char *srcpath = NULL;
		91
		92	VIR_DEBUG("Processing %s -> %s",
		93	- mnts[i].src, mnts[i].dst);
		94	+ mnt->src, mnt->dst);
		95
		96	- srcpath = mnts[i].src;
		97	+ srcpath = mnt->src;
		98
		99	/* Skip if mount doesn't exist in source */
		100	if ((srcpath[0] == '/') &&
		101	@@ -796,34 +801,34 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
		102	continue;
		103
		104	#if WITH_SELINUX
		105	- if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
		106	+ if (STREQ(mnt->src, SELINUX_MOUNT) &&
		107	!is_selinux_enabled())
		108	continue;
		109	#endif
		110
		111	- if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
		112	+ if (STREQ(mnt->src, "securityfs") && userns_enabled)
		113	continue;
		114
		115	- if (virFileMakePath(mnts[i].dst) < 0) {
		116	+ if (virFileMakePath(mnt->dst) < 0) {
		117	virReportSystemError(errno,
		118	_("Failed to mkdir %s"),
		119	- mnts[i].src);
		120	+ mnt->src);
		121	goto cleanup;
		122	}
		123
		124	VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
		125	- srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts);
		126	- if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) {
		127	+ srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
		128	+ if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
		129	#if WITH_SELINUX
		130	- if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
		131	+ if (STREQ(mnt->src, SELINUX_MOUNT) &&
		132	(errno == EINVAL \|\| errno == EPERM))
		133	continue;
		134	#endif
		135
		136	virReportSystemError(errno,
		137	_("Failed to mount %s on %s type %s flags=%x opts=%s"),
		138	- srcpath, mnts[i].dst, NULLSTR(mnts[i].type),
		139	- mnts[i].mflags, NULLSTR(mnts[i].opts));
		140	+ srcpath, mnt->dst, NULLSTR(mnt->type),
		141	+ mnt->mflags, NULLSTR(mnt->opts));
		142	goto cleanup;
		143	}
		144	}
		145	--
		146	1.8.1.2
		147


diff --git a/recipes-extended/libvirt/libvirt_1.1.2.bb b/recipes-extended/libvirt/libvirt_1.1.2.bb index cfb406dc..a12147a6 100644 --- a/recipes-extended/libvirt/libvirt_1.1.2.bb +++ b/recipes-extended/libvirt/libvirt_1.1.2.bb
@@ -24,6 +24,9 @@ RCONFLICTS_${PN}_libvirtd = "connman"
24		24
25	SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz \	25	SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz \
26	file://tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch \	26	file://tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch \
		27	file://LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch \
		28	file://Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch \
		29	file://LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch \
27	file://libvirtd.sh \	30	file://libvirtd.sh \
28	file://libvirtd.conf"	31	file://libvirtd.conf"
29		32