restore: add lsm-mount-context option

The lsm-mount-context option allows to specify a new mount context to be used during restore. For example, if a mountpoint has been checkpointed with context like context="system_u:object_r:container_file_t:s0:c82,c137" it is possible to change this context using --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495" Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
containers · Oct 21, 2024 · ce89aa6 · ce89aa6
1 parent 9efd6a8
commit ce89aa6
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/src/libcrun/container.h b/src/libcrun/container.h
@@ -188,6 +188,7 @@ struct libcrun_checkpoint_restore_s
  bool pre_dump;
  int manage_cgroups_mode;
  char *lsm_profile;
+ char *lsm_mount_context;
 };
 typedef struct libcrun_checkpoint_restore_s libcrun_checkpoint_restore_t;
 

diff --git a/src/libcrun/criu.c b/src/libcrun/criu.c
@@ -90,6 +90,7 @@ struct libcriu_wrapper_s
  void (*criu_set_track_mem) (bool track_mem);
  void (*criu_set_work_dir_fd) (int fd);
  int (*criu_set_lsm_profile) (const char *name);
+ int (*criu_set_lsm_mount_context) (const char *name);
 };
 
 static struct libcriu_wrapper_s *libcriu_wrapper;
@@ -834,6 +835,13 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
  return crun_make_error (err, 0, "error setting LSM profile to `%s`", cr_options->lsm_profile);
  }
 
+ if (cr_options->lsm_mount_context != NULL)
+ {
+ ret = libcriu_wrapper->criu_set_lsm_mount_context (cr_options->lsm_mount_context);
+ if (UNLIKELY (ret != 0))
+ return crun_make_error (err, 0, "error setting LSM mount context to `%s`", cr_options->lsm_mount_context);
+ }
+
  /* Tell CRIU about external bind mounts. */
  for (i = 0; i < def->mounts_len; i++)
  {

diff --git a/src/restore.c b/src/restore.c
@@ -45,6 +45,7 @@ enum
  OPTION_FILE_LOCKS,
  OPTION_MANAGE_CGROUPS_MODE,
  OPTION_LSM_PROFILE,
+ OPTION_LSM_MOUNT_CONTEXT,
 };
 
 static char doc[] = "OCI runtime";
@@ -69,6 +70,7 @@ static struct argp_option options[]
  { "file-locks", OPTION_FILE_LOCKS, 0, 0, "allow file locks", 0 },
  { "manage-cgroups-mode", OPTION_MANAGE_CGROUPS_MODE, "MODE", 0, "cgroups mode: 'soft' (default), 'ignore', 'full' and 'strict'", 0 },
  { "lsm-profile", OPTION_LSM_PROFILE, "VALUE", 0, "Specify an LSM profile to be used during restore in the form of TYPE:NAME", 0 },
+ { "lsm-mount-context", OPTION_LSM_MOUNT_CONTEXT, "VALUE", 0, "Specify an LSM mount context to be used during restore", 0 },
  {
  0,
  } };
@@ -131,6 +133,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
  cr_options.lsm_profile = argp_mandatory_argument (arg, state);
  break;
 
+ case OPTION_LSM_MOUNT_CONTEXT:
+ cr_options.lsm_mount_context = argp_mandatory_argument (arg, state);
+ break;
+
  default:
  return ARGP_ERR_UNKNOWN;
  }