diff options
| -rw-r--r-- | src/nspawn/nspawn.c | 4 | ||||
| -rw-r--r-- | units/systemd-nspawn@.service.in | 14 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index f43ffd97c5..29652e00e5 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2014,6 +2014,10 @@ static int register_machine(pid_t pid, int local_ifindex) { if (r < 0) return bus_log_create_error(r); + /* If you make changes here, also make sure to update + * systemd-nspawn@.service, to keep the device + * policies in sync regardless if we are run with or + * without the --keep-unit switch. */ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9, /* Allow the container to * access and create the API diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 3e26b53fd6..6bfa55ac37 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -19,5 +19,19 @@ RestartForceExitStatus=133 SuccessExitStatus=133 Delegate=yes +# Enforce a strict device policy, similar to the one nspawn configures +# when it allocates its own scope unit. Make sure to keep these +# policies in sync if you change them! +DevicePolicy=strict +DeviceAllow=/dev/null rwm +DeviceAllow=/dev/zero rwm +DeviceAllow=/dev/full rwm +DeviceAllow=/dev/random rwm +DeviceAllow=/dev/urandom rwm +DeviceAllow=/dev/tty rwm +DeviceAllow=/dev/net/tun rwm +DeviceAllow=/dev/pts/ptmx rw +DeviceAllow=char-pts rw + [Install] WantedBy=machines.target |