diff options
| author | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-22 11:58:03 +0200 |
|---|---|---|
| committer | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-22 16:08:26 +0200 |
| commit | 54cd6556b32217b337d44c5072d2c2a1ccffd9a4 (patch) | |
| tree | 174b1928950a147d27bcd89a265c2174c65a7a93 /src | |
| parent | b3d1d51603408e7aea7971fabf41b38c9e12fd69 (diff) | |
nspawn: set DevicesPolicy closed and clean up duplicated devices
Diffstat (limited to 'src')
| -rw-r--r-- | src/nspawn/nspawn-register.c | 17 |
1 files changed, 3 insertions, 14 deletions
diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c index 7fd711b8a4..e5b76a0c5d 100644 --- a/src/nspawn/nspawn-register.c +++ b/src/nspawn/nspawn-register.c @@ -104,7 +104,7 @@ int register_machine( return bus_log_create_error(r); } - r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict"); + r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "closed"); if (r < 0) return bus_log_create_error(r); @@ -112,31 +112,20 @@ int register_machine( * systemd-nspawn@.service, to keep the device * policies in sync regardless if we are run with or * without the --keep-unit switch. */ - r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11, + r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 2, /* Allow the container to * access and create the API * device nodes, so that * PrivateDevices= in the * container can work * fine */ - "/dev/null", "rwm", - "/dev/zero", "rwm", - "/dev/full", "rwm", - "/dev/random", "rwm", - "/dev/urandom", "rwm", - "/dev/tty", "rwm", "/dev/net/tun", "rwm", /* Allow the container * access to ptys. However, * do not permit the * container to ever create * these device nodes. */ - "/dev/pts/ptmx", "rw", - "char-pts", "rw", - /* Allow /run/systemd/inaccessible/{chr,blk} - * devices inside the container */ - "/run/systemd/inaccessible/chr", "rwm", - "/run/systemd/inaccessible/blk", "rwm"); + "char-pts", "rw"); if (r < 0) return bus_log_create_error(r); |