From: Gao feng <gaofeng@cn.fujitsu.com>
Date: Thu, 12 Sep 2013 03:51:31 +0000 (+0800)
Subject: LXC: don't try to mount selinux filesystem when user namespace enabled
X-Git-Tag: CVE-2013-4311~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c7037cff42dde35913dde533b31ee1da8c2d6e0;p=thirdparty%2Flibvirt.git

LXC: don't try to mount selinux filesystem when user namespace enabled

Right now we mount selinuxfs even user namespace is enabled and
ignore the error. But we shouldn't ignore these errors when user
namespace is not enabled.

This patch skips mounting selinuxfs when user namespace enabled.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index ddc6e3d603..a979452a45 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -868,7 +868,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
 
 #if WITH_SELINUX
         if (STREQ(mnt->src, SELINUX_MOUNT) &&
-            !is_selinux_enabled())
+            (!is_selinux_enabled() || userns_enabled))
             continue;
 #endif
 
@@ -885,12 +885,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
         VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
                   srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
         if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
-#if WITH_SELINUX
-            if (STREQ(mnt->src, SELINUX_MOUNT) &&
-                (errno == EINVAL || errno == EPERM))
-                continue;
-#endif
-
             virReportSystemError(errno,
                                  _("Failed to mount %s on %s type %s flags=%x opts=%s"),
                                  srcpath, mnt->dst, NULLSTR(mnt->type),