diff options
author | Dongsu Park <dongsu@endocode.com> | 2016-11-29 20:16:55 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-11-29 20:16:55 +0100 |
commit | e7330dfe14b1965fe8a2e25df248f45d46cfb26d (patch) | |
tree | c88b9e28dec5ba5d8b234a567df80fd7543d32fb /src/core | |
parent | a9d2d40dbabd241354f62b57f407fb23c20d7860 (diff) |
cgroup: support prefix "-" in cgroups whitelisting entries (#4687)
So far systemd-nspawn container has been creating files under
/run/systemd/inaccessible, no matter whether it's running in user
namespace or not. That's fine for regular files, dirs, socks, fifos.
However, it's not for block and character devices, because kernel
doesn't allow them to be created under user namespace. It results
in warnings at booting like that:
====
Couldn't stat device /run/systemd/inaccessible/chr
Couldn't stat device /run/systemd/inaccessible/blk
====
Thus we need to have the cgroups whitelisting handler to silently ignore
a file, when the device path is prefixed with "-". That's exactly the
same convention used in directives like ReadOnlyPaths=. Also insert the
prefix "-" to inaccessible entries.
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/cgroup.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index bd6248406f..6dab6e9043 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -293,8 +293,11 @@ static int whitelist_device(const char *path, const char *node, const char *acc) assert(acc); if (stat(node, &st) < 0) { - log_warning("Couldn't stat device %s", node); - return -errno; + /* path starting with "-" must be silently ignored */ + if (errno == ENOENT && startswith(node, "-")) + return 0; + + return log_warning_errno(errno, "Couldn't stat device %s: %m", node); } if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) { @@ -914,8 +917,8 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) { "/dev/tty\0" "rwm\0" "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */ /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ - "/run/systemd/inaccessible/chr\0" "rwm\0" - "/run/systemd/inaccessible/blk\0" "rwm\0"; + "-/run/systemd/inaccessible/chr\0" "rwm\0" + "-/run/systemd/inaccessible/blk\0" "rwm\0"; const char *x, *y; |