summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorDongsu Park <dongsu@endocode.com>2016-11-29 20:16:55 +0100
committerLennart Poettering <lennart@poettering.net>2016-11-29 20:16:55 +0100
commite7330dfe14b1965fe8a2e25df248f45d46cfb26d (patch)
treec88b9e28dec5ba5d8b234a567df80fd7543d32fb /src/core
parenta9d2d40dbabd241354f62b57f407fb23c20d7860 (diff)
cgroup: support prefix "-" in cgroups whitelisting entries (#4687)
So far systemd-nspawn container has been creating files under /run/systemd/inaccessible, no matter whether it's running in user namespace or not. That's fine for regular files, dirs, socks, fifos. However, it's not for block and character devices, because kernel doesn't allow them to be created under user namespace. It results in warnings at booting like that: ==== Couldn't stat device /run/systemd/inaccessible/chr Couldn't stat device /run/systemd/inaccessible/blk ==== Thus we need to have the cgroups whitelisting handler to silently ignore a file, when the device path is prefixed with "-". That's exactly the same convention used in directives like ReadOnlyPaths=. Also insert the prefix "-" to inaccessible entries.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/cgroup.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index bd6248406f..6dab6e9043 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -293,8 +293,11 @@ static int whitelist_device(const char *path, const char *node, const char *acc)
assert(acc);
if (stat(node, &st) < 0) {
- log_warning("Couldn't stat device %s", node);
- return -errno;
+ /* path starting with "-" must be silently ignored */
+ if (errno == ENOENT && startswith(node, "-"))
+ return 0;
+
+ return log_warning_errno(errno, "Couldn't stat device %s: %m", node);
}
if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
@@ -914,8 +917,8 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
"/dev/tty\0" "rwm\0"
"/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
/* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
- "/run/systemd/inaccessible/chr\0" "rwm\0"
- "/run/systemd/inaccessible/blk\0" "rwm\0";
+ "-/run/systemd/inaccessible/chr\0" "rwm\0"
+ "-/run/systemd/inaccessible/blk\0" "rwm\0";
const char *x, *y;