diff options
author | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-22 12:00:49 +0200 |
---|---|---|
committer | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-22 16:08:31 +0200 |
commit | 0d9e799102674c50e0755686a6b93f933d9f49a3 (patch) | |
tree | a02e298c4a12e5d7ac6a6cebbf6945eff5693b3d | |
parent | 54cd6556b32217b337d44c5072d2c2a1ccffd9a4 (diff) |
cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy.
https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.
-rw-r--r-- | src/core/cgroup.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 8b0f11ed50..c19e43f571 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -800,7 +800,10 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) { "/dev/random\0" "rwm\0" "/dev/urandom\0" "rwm\0" "/dev/tty\0" "rwm\0" - "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */ + "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */ + /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ + "/run/systemd/inaccessible/chr\0" "rwm\0" + "/run/systemd/inaccessible/blk\0" "rwm\0"; const char *x, *y; |