[systemd-devel] [PATCH 1/1] Add SELinux support to systemd-nspawn
Dan Walsh
dwalsh at redhat.com
Thu Jan 30 13:28:02 PST 2014
This patch adds to new options:
-Z PROCESS_LABEL
This specifies the process label to run on processes run within the container.
-L FILE_LABEL
The file label to assign to memory file systems created within the container.
For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following
chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
systemd-nspawn -s -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
---
src/nspawn/nspawn.c | 40 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5352b95..1394ee6 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -41,6 +41,9 @@
#include <sys/socket.h>
#include <linux/netlink.h>
#include <sys/eventfd.h>
+#if HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
#include "sd-daemon.h"
#include "sd-bus.h"
@@ -77,6 +80,8 @@ static char *arg_directory = NULL;
static char *arg_user = NULL;
static sd_id128_t arg_uuid = {};
static char *arg_machine = NULL;
+static char *process_label = NULL;
+static char *file_label = NULL;
static const char *arg_slice = NULL;
static bool arg_private_network = false;
static bool arg_read_only = false;
@@ -125,6 +130,8 @@ static int help(void) {
" --uuid=UUID Set a specific machine UUID for the container\n"
" -M --machine=NAME Set the machine name for the container\n"
" -S --slice=SLICE Place the container in the specified slice\n"
+ " -L --filelabel=LABEL Set the MAC file label to be used by tmpfs file systems in container\n"
+ " -Z --processlabel=LABEL Set the MAC Label to be used by processes in container\n"
" --private-network Disable network in container\n"
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
@@ -173,6 +180,8 @@ static int parse_argv(int argc, char *argv[]) {
{ "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' },
{ "setenv", required_argument, NULL, ARG_SETENV },
+ { "label", required_argument, NULL, 'Z' },
+ { "filelabel", required_argument, NULL, 'L' },
{}
};
@@ -181,7 +190,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
- while ((c = getopt_long(argc, argv, "+hD:u:bM:jS:", options, NULL)) >= 0) {
+ while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:", options, NULL)) >= 0) {
switch (c) {
@@ -247,6 +256,19 @@ static int parse_argv(int argc, char *argv[]) {
break;
+ case 'L':
+ if (asprintf(&file_label,",context=\"%s\"", optarg) < 0)
+ return log_oom();
+
+ break;
+
+ case 'Z':
+ process_label = strdup(optarg);
+ if (!process_label)
+ return log_oom();
+
+ break;
+
case ARG_READ_ONLY:
arg_read_only = true;
break;
@@ -396,6 +418,7 @@ static int mount_all(const char *dest) {
for (k = 0; k < ELEMENTSOF(mount_table); k++) {
_cleanup_free_ char *where = NULL;
+ _cleanup_free_ char *options = NULL;
int t;
where = strjoin(dest, "/", mount_table[k].where, NULL);
@@ -418,11 +441,19 @@ static int mount_all(const char *dest) {
mkdir_p(where, 0755);
+#ifdef HAVE_SELINUX
+ if (file_label && (streq_ptr(mount_table[k].what, "tmpfs") ||
+ streq_ptr(mount_table[k].what, "devpts")))
+ options = strjoin(mount_table[k].options, file_label, NULL);
+ else
+#endif
+ options = strjoin(mount_table[k].options, NULL, NULL);
+
if (mount(mount_table[k].what,
where,
mount_table[k].type,
mount_table[k].flags,
- mount_table[k].options) < 0 &&
+ options) < 0 &&
mount_table[k].fatal) {
log_error("mount(%s) failed: %m", where);
@@ -1491,6 +1522,11 @@ int main(int argc, char *argv[]) {
} else
env_use = (char**) envp;
+#if HAVE_SELINUX
+ if (process_label)
+ if (setexeccon(process_label) < 0)
+ log_error("setexeccon(\"%s\") failed: %m", process_label);
+#endif
if (arg_boot) {
char **a;
size_t l;
--
1.8.5.3
More information about the systemd-devel
mailing list