[libvirt] This patch adds the label to lxc-enter-namespace

Daniel J Walsh dwalsh at redhat.com
Thu Jan 24 13:47:13 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(Resend to the correct list)


lxc-enter-namespace  allows a process from outside a container to start a
process inside a container.  One problem with the current code is the process
running within the container would run with the label of the process that
created it.

For example if the admin process is running as unconfined_t and executes the
following command


# virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps

Note the ps command is running as unconfined_t,  After this patch,


virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps

I also add a --nolabel command to virsh, which can go back to the original
behaviour.

virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ? 00:00:00 ps


One problem I had when I originally did the patch is
lxcDomainGetSecurityLabel was returning the incorrect label, I needed the
label of the initpid within the container not its parent process,  so I
changed this function to match OpenNamespaces function.

One last strangeness, about half the time I run this, virsh hangs and never
returns.
Seems like

 if (conn->driver->domainGetSecurityLabel(domain,
                                                 seclabel) == 0) {


Gets hung up.  I have attached the strace in out1.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEBO2EACgkQrlYvE4MpobMS5ACg3Ih4Iu0lD9BofF4iP0QXarAL
jpQAoLyWWNhnnFw2TRDJsXqvrTTVujyZ
=hUZ/
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-Set-the-label-by-default-when-entering-a-namespace-w.patch
Type: text/x-patch
Size: 4123 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130124/a5865244/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: out1.gz
Type: application/x-gzip
Size: 11151 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130124/a5865244/attachment-0003.bin>


More information about the libvir-list mailing list