Add selinuxfs to be mounted in the container

As a follow-on to containers#302, we want to also mount the selinuxfs special filesystem if the host also has that filesystem mounted. Related containers#303 Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet · Feb 14, 2024 · 2d81174 · 2d81174
1 parent 406b905
commit 2d81174
Showing 1 changed file with 32 additions and 27 deletions.
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -865,37 +865,42 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> {
 #[context("Ensuring sys mounts")]
 pub(crate) fn setup_sys_mounts() -> Result<()> {
     tracing::debug!("Setting up sys mounts");
+    let filesystems = vec![
+        ("efivarfs", "/sys/firmware/efi/efivars"),
+        ("selinuxfs", "/sys/fs/selinux"),
+    ];
+    for (fstype, fspath) in filesystems {
+        let rootfs = format!("/proc/1/root/{fspath}");
+        // Does efivars even exist in the host? If not, we are
+        // not dealing with an EFI system
+        if !Path::new(rootfs.as_str()).try_exists()? {
+            continue;
+        }
 
-    let root_efivars = "/sys/firmware/efi/efivars";
-    let efivars = format!("/proc/1/root/{root_efivars}");
-    // Does efivars even exist in the host? If not, we are
-    // not dealing with an EFI system
-    if !Path::new(efivars.as_str()).try_exists()? {
-        return Ok(());
-    }
-
-    // Now, let's find out if it's populated
-    if std::fs::read_dir(efivars)?.next().is_none() {
-        return Ok(());
-    }
+        // Now, let's find out if it's populated
+        if std::fs::read_dir(rootfs)?.next().is_none() {
+            continue;
+        }
 
-    // First of all, does the container already have the mount?
-    let path = Utf8Path::new(root_efivars);
-    if path.try_exists()? {
-        tracing::debug!("Check if efivarfs already mount");
-        let inspect = crate::mount::inspect_filesystem(path);
-        if inspect.is_ok() {
-            tracing::trace!("Already have efivarfs {root_efivars}");
-            return Ok(());
+        // First of all, does the container already have the mount?
+        let path = Utf8Path::new(fspath);
+        if path.try_exists()? {
+            tracing::debug!("Check if {fstype} already mounted");
+            let rootfs_fd = Dir::open_ambient_dir(path, cap_std::ambient_authority())?;
+            if let Some(true) = ostree_ext::mountutil::is_mountpoint(&rootfs_fd, ".")? {
+                tracing::trace!("Already have {fstype} {fspath}");
+                continue;
+            }
         }
-    }
 
-    // This means the host has this mounted, so we should mount it too
-    Task::new_and_run(
-        "Mounting efivarfs /sys/firmware/efi/efivars",
-        "mount",
-        ["-t", "efivarfs", "efivars", "/sys/firmware/efi/efivars"],
-    )
+        // This means the host has this mounted, so we should mount it too
+        let _ = Task::new_and_run(
+            format!("Mounting {fstype} {fspath}"),
+            "mount",
+            ["-t", fstype, fstype, fspath],
+        )?;
+    }
+    Ok(())
 }
 
 /// Verify that we can load the manifest of the target image