summaryrefslogtreecommitdiff
path: root/units/systemd-nspawn@.service.in
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-04-28 20:46:03 +0200
committerLennart Poettering <lennart@poettering.net>2015-04-28 21:34:23 +0200
commit773ce3d89c25aa51b0fe9085bd0eb7ba5e50508b (patch)
tree8269eb32c9b9a9be39b72842224b9f20ed5eaa08 /units/systemd-nspawn@.service.in
parenta509f0e631b12cfec6aafe4d152532109082efc9 (diff)
nspawn: make sure we install the device policy if nspawn is run as unit as on the command line
Diffstat (limited to 'units/systemd-nspawn@.service.in')
-rw-r--r--units/systemd-nspawn@.service.in14
1 files changed, 14 insertions, 0 deletions
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 3e26b53fd6..6bfa55ac37 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -19,5 +19,19 @@ RestartForceExitStatus=133
SuccessExitStatus=133
Delegate=yes
+# Enforce a strict device policy, similar to the one nspawn configures
+# when it allocates its own scope unit. Make sure to keep these
+# policies in sync if you change them!
+DevicePolicy=strict
+DeviceAllow=/dev/null rwm
+DeviceAllow=/dev/zero rwm
+DeviceAllow=/dev/full rwm
+DeviceAllow=/dev/random rwm
+DeviceAllow=/dev/urandom rwm
+DeviceAllow=/dev/tty rwm
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/pts/ptmx rw
+DeviceAllow=char-pts rw
+
[Install]
WantedBy=machines.target