exec: introduce PrivateDevices= switch to provide services with a private /dev

Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
author: Lennart Poettering <lennart@poettering.net> 2014-01-20 19:54:51 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-01-20 21:28:37 +0100
commit: 7f112f50fea585411ea2d493b3582bea77eb4d6e (patch)
tree: 2c670344aa6be9fff8bf4538d2e188bf280ecde3 /src/core/execute.c
parent: 3540c7f88fd4b860d3d6d0e931ddb7cd91bc559a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 4317afad8a..91e4352f9a 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1427,7 +1427,8 @@ int exec_spawn(ExecCommand *command,
                     !strv_isempty(context->read_only_dirs) ||
                     !strv_isempty(context->inaccessible_dirs) ||
                     context->mount_flags != 0 ||
-                    (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))) {
+                    (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+                    context->private_devices) {
 
                         char *tmp = NULL, *var = NULL;
 
@@ -1450,6 +1451,7 @@ int exec_spawn(ExecCommand *command,
                                         context->inaccessible_dirs,
                                         tmp,
                                         var,
+                                        context->private_devices,
                                         context->mount_flags);
 
                         if (err < 0) {
@@ -1896,6 +1898,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 "%sNonBlocking: %s\n"
                 "%sPrivateTmp: %s\n"
                 "%sPrivateNetwork: %s\n"
+                "%sPrivateDevices: %s\n"
                 "%sIgnoreSIGPIPE: %s\n",
                 prefix, c->umask,
                 prefix, c->working_directory ? c->working_directory : "/",
@@ -1903,6 +1906,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 prefix, yes_no(c->non_blocking),
                 prefix, yes_no(c->private_tmp),
                 prefix, yes_no(c->private_network),
+                prefix, yes_no(c->private_devices),
                 prefix, yes_no(c->ignore_sigpipe));
 
         STRV_FOREACH(e, c->environment)
author	Lennart Poettering <lennart@poettering.net>	2014-01-20 19:54:51 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-01-20 21:28:37 +0100
commit	7f112f50fea585411ea2d493b3582bea77eb4d6e (patch)
tree	2c670344aa6be9fff8bf4538d2e188bf280ecde3 /src/core/execute.c
parent	3540c7f88fd4b860d3d6d0e931ddb7cd91bc559a (diff)