diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-03-11 17:43:00 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-03-11 17:43:41 +0100 |
| commit | a07f961e98456714e7516c75041d5150d8641776 (patch) | |
| tree | bfc39435dcc5c5b0d734459b636caaf2c9d71c51 /src/nspawn | |
| parent | e41969e3d1a8bda8b0b2f7eb012cef1c8835509a (diff) | |
nspawn: allow using kdbus from nspawn containers
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index cd31bd42cc..1051b922c9 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1258,7 +1258,7 @@ static int register_machine(pid_t pid) { return r; } - r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 8, + r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10, /* Allow the container to * access and create the API * device nodes, so that @@ -1277,7 +1277,18 @@ static int register_machine(pid_t pid) { * container to ever create * these device nodes. */ "/dev/pts/ptmx", "rw", - "char-pts", "rw"); + "char-pts", "rw", + /* Allow the container + * access to all kdbus + * devices. Again, the + * container cannot create + * these nodes, only use + * them. We use a pretty + * open match here, so that + * the kernel API can still + * change. */ + "char-kdbus", "rw", + "char-kdbus/*", "rw"); if (r < 0) { log_error("Failed to add device whitelist: %s", strerror(-r)); return r; |