diff options
-rw-r--r-- | Makefile.am | 3 | ||||
-rw-r--r-- | TODO | 6 | ||||
-rw-r--r-- | src/tmpfiles/tmpfiles.c | 16 |
3 files changed, 18 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am index ae775c8c39..f88d193b41 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1296,7 +1296,8 @@ systemd_tmpfiles_SOURCES = \ systemd_tmpfiles_LDADD = \ libsystemd-label.la \ - libsystemd-shared.la + libsystemd-shared.la \ + libsystemd-capability.la # ------------------------------------------------------------------------------ systemd_machine_id_setup_SOURCES = \ @@ -61,11 +61,9 @@ Features: * json: properly serialize multiple fields with the same name per entry -* journalctl: make -l the default - * journald: add option to choose between "split up nothing", "split up login user journals", "split up all user journals" -* journal live copy, bsaed on libneon (client) and libmicrohttpd +* journal live copy, based on libneon (client) and libmicrohttpd * document in wiki json serialization @@ -81,8 +79,6 @@ Features: * system.conf should have controls for cgroups -* tmpfiles: skip mknod if CAP_MKNOD is missing - * bind mount read-only the cgroup tree higher than than nspawn * currently system services appear not to generate core dumps... diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index e70332ca06..323781f973 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -38,6 +38,7 @@ #include <sys/param.h> #include <glob.h> #include <fnmatch.h> +#include <sys/capability.h> #include "log.h" #include "util.h" @@ -47,6 +48,7 @@ #include "label.h" #include "set.h" #include "conf-files.h" +#include "capability.h" /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates * them in the file system. This is intended to be used to create @@ -764,7 +766,19 @@ static int create_item(Item *i) { case CREATE_BLOCK_DEVICE: case CREATE_CHAR_DEVICE: { - mode_t file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR); + mode_t file_type; + + if (have_effective_cap(CAP_MKNOD) == 0) { + /* In a container we lack CAP_MKNOD. We + shouldnt attempt to create the device node in + that case to avoid noise, and we don't support + virtualized devices in containers anyway. */ + + log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path); + return 0; + } + + file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR); u = umask(0); label_context_set(i->path, file_type); |