diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-07-22 17:37:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-07-22 17:37:54 +0200 |
| commit | 8a18507c55ea89451c32ae10d4cc11acc828b279 (patch) | |
| tree | a02e298c4a12e5d7ac6a6cebbf6945eff5693b3d | |
| parent | b3d1d51603408e7aea7971fabf41b38c9e12fd69 (diff) | |
| parent | 0d9e799102674c50e0755686a6b93f933d9f49a3 (diff) | |
Merge pull request #3779 from kinvolk/alessandro/nspawn-inaccessible-devs
cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy
| -rw-r--r-- | src/core/cgroup.c | 5 | ||||
| -rw-r--r-- | src/nspawn/nspawn-register.c | 17 | ||||
| -rw-r--r-- | units/systemd-nspawn@.service.in | 11 |
3 files changed, 8 insertions, 25 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 8b0f11ed50..c19e43f571 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -800,7 +800,10 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) { "/dev/random\0" "rwm\0" "/dev/urandom\0" "rwm\0" "/dev/tty\0" "rwm\0" - "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */ + "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */ + /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ + "/run/systemd/inaccessible/chr\0" "rwm\0" + "/run/systemd/inaccessible/blk\0" "rwm\0"; const char *x, *y; diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c index 7fd711b8a4..e5b76a0c5d 100644 --- a/src/nspawn/nspawn-register.c +++ b/src/nspawn/nspawn-register.c @@ -104,7 +104,7 @@ int register_machine( return bus_log_create_error(r); } - r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict"); + r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "closed"); if (r < 0) return bus_log_create_error(r); @@ -112,31 +112,20 @@ int register_machine( * systemd-nspawn@.service, to keep the device * policies in sync regardless if we are run with or * without the --keep-unit switch. */ - r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11, + r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 2, /* Allow the container to * access and create the API * device nodes, so that * PrivateDevices= in the * container can work * fine */ - "/dev/null", "rwm", - "/dev/zero", "rwm", - "/dev/full", "rwm", - "/dev/random", "rwm", - "/dev/urandom", "rwm", - "/dev/tty", "rwm", "/dev/net/tun", "rwm", /* Allow the container * access to ptys. However, * do not permit the * container to ever create * these device nodes. */ - "/dev/pts/ptmx", "rw", - "char-pts", "rw", - /* Allow /run/systemd/inaccessible/{chr,blk} - * devices inside the container */ - "/run/systemd/inaccessible/chr", "rwm", - "/run/systemd/inaccessible/blk", "rwm"); + "char-pts", "rw"); if (r < 0) return bus_log_create_error(r); diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 8f9cf9acfe..c8141639b6 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -25,18 +25,9 @@ TasksMax=16384 # Enforce a strict device policy, similar to the one nspawn configures # when it allocates its own scope unit. Make sure to keep these # policies in sync if you change them! -DevicePolicy=strict -DeviceAllow=/dev/null rwm -DeviceAllow=/dev/zero rwm -DeviceAllow=/dev/full rwm -DeviceAllow=/dev/random rwm -DeviceAllow=/dev/urandom rwm -DeviceAllow=/dev/tty rwm +DevicePolicy=closed DeviceAllow=/dev/net/tun rwm -DeviceAllow=/dev/pts/ptmx rw DeviceAllow=char-pts rw -DeviceAllow=/run/systemd/inaccessible/chr rwm -DeviceAllow=/run/systemd/inaccessible/blk rwm # nspawn itself needs access to /dev/loop-control and /dev/loop, to # implement the --image= option. Add these here, too. |