summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlessandro Puccetti <alessandro@kinvolk.io>2016-07-22 11:58:03 +0200
committerAlessandro Puccetti <alessandro@kinvolk.io>2016-07-22 16:08:26 +0200
commit54cd6556b32217b337d44c5072d2c2a1ccffd9a4 (patch)
tree174b1928950a147d27bcd89a265c2174c65a7a93 /src
parentb3d1d51603408e7aea7971fabf41b38c9e12fd69 (diff)
nspawn: set DevicesPolicy closed and clean up duplicated devices
Diffstat (limited to 'src')
-rw-r--r--src/nspawn/nspawn-register.c17
1 files changed, 3 insertions, 14 deletions
diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c
index 7fd711b8a4..e5b76a0c5d 100644
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@@ -104,7 +104,7 @@ int register_machine(
return bus_log_create_error(r);
}
- r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
+ r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "closed");
if (r < 0)
return bus_log_create_error(r);
@@ -112,31 +112,20 @@ int register_machine(
* systemd-nspawn@.service, to keep the device
* policies in sync regardless if we are run with or
* without the --keep-unit switch. */
- r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11,
+ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 2,
/* Allow the container to
* access and create the API
* device nodes, so that
* PrivateDevices= in the
* container can work
* fine */
- "/dev/null", "rwm",
- "/dev/zero", "rwm",
- "/dev/full", "rwm",
- "/dev/random", "rwm",
- "/dev/urandom", "rwm",
- "/dev/tty", "rwm",
"/dev/net/tun", "rwm",
/* Allow the container
* access to ptys. However,
* do not permit the
* container to ever create
* these device nodes. */
- "/dev/pts/ptmx", "rw",
- "char-pts", "rw",
- /* Allow /run/systemd/inaccessible/{chr,blk}
- * devices inside the container */
- "/run/systemd/inaccessible/chr", "rwm",
- "/run/systemd/inaccessible/blk", "rwm");
+ "char-pts", "rw");
if (r < 0)
return bus_log_create_error(r);