Richard W.M. Jones wrote:
I think this patch is also uncontroversial.
If selinux=1 then we mount /selinux in the appliance. We also
bind-mount it into guests when running commands, just like we do for
/proc, /dev etc.
If SELinux is disabled, then /selinux doesn't get mounted.
...
diff --git a/daemon/command.c b/daemon/command.c
index 0399255..3261513 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -31,8 +31,9 @@ do_command (char **argv)
{
char *out, *err;
int r;
- char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys;
- int proc_ok, dev_ok, dev_pts_ok, sys_ok;
+ char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc,
+ *sysroot_selinux, *sysroot_sys;
+ int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok;
/* We need a root filesystem mounted to do this. */
NEED_ROOT (NULL);
@@ -57,6 +58,7 @@ do_command (char **argv)
sysroot_dev = sysroot_path ("/dev");
sysroot_dev_pts = sysroot_path ("/dev/pts");
sysroot_proc = sysroot_path ("/proc");
+ sysroot_selinux = sysroot_path ("/selinux");
sysroot_sys = sysroot_path ("/sys");
r = command (NULL, NULL, "mount", "--bind", "/dev",
sysroot_dev, NULL);
Shouldn't each of these sysroot_* variables be tested,
in case sysroot_path's malloc has failed?