cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes

author: Lennart Poettering <lennart@poettering.net> 2014-02-22 02:47:29 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-02-22 03:05:34 +0100
commit: 90060676c442604780634c0a993e3f9c3733f8e6 (patch)
tree: b9a4ea6ffee5bcffdf63f3034f7c460f5559c30f /src/core/dbus-cgroup.c
parent: 1620510ada018f1e1f0be114714826f6698501f2 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index 792f37eef5..b8a77254d9 100644
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -442,8 +442,11 @@ int bus_cgroup_set_property(
 
                 while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) {
 
-                        if (!path_startswith(path, "/dev"))
-                                return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
+                        if ((!startswith(path, "/dev/") &&
+                             !startswith(path, "block-") &&
+                             !startswith(path, "char-")) ||
+                            strpbrk(path, WHITESPACE))
+                            return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
 
                         if (isempty(rwm))
                                 rwm = "rwm";
author	Lennart Poettering <lennart@poettering.net>	2014-02-22 02:47:29 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-02-22 03:05:34 +0100
commit	90060676c442604780634c0a993e3f9c3733f8e6 (patch)
tree	b9a4ea6ffee5bcffdf63f3034f7c460f5559c30f /src/core/dbus-cgroup.c
parent	1620510ada018f1e1f0be114714826f6698501f2 (diff)