[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/3] Honour filesystem readonly flag & make special FS readonly



On 07/22/2011 07:42 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange redhat com>

A container should not be allowed to modify stuff in /sys
or /proc/sys so make them readonly. Make /selinux readonly
so that containers think that selinux is disabled.

Are we ever going to want to mix selinux and containers? But for now, I guess this makes sense.


Honour the readonly flag when mounting container filesystems
from the guest XML config

* src/lxc/lxc_container.c: Support readonly mounts
---
  src/lxc/lxc_container.c |   29 +++++++++++++++++++++++++++++
  1 files changed, 29 insertions(+), 0 deletions(-)

      } mnts[] = {
+        /* When we want to make a bind mount readonly, for unknown reasons,
+         * it is currently neccessary to bind it once, and then remount the

s/neccessary/necessary/

+         * bind with the readonly flag. If this is not done, then the original
+         * mount point in the main OS becomes readonly too which si not what

s/si/is/

ACK with spelling nits fixed.

--
Eric Blake   eblake redhat com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]