diff options
-rw-r--r-- | src/core/dbus-cgroup.c | 1 | ||||
-rw-r--r-- | src/nspawn/nspawn-register.c | 8 | ||||
-rw-r--r-- | units/systemd-nspawn@.service.in | 2 |
3 files changed, 9 insertions, 2 deletions
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index 27bbe2d26d..6167ce92cd 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -960,6 +960,7 @@ int bus_cgroup_set_property( while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) { if ((!startswith(path, "/dev/") && + !startswith(path, "/run/systemd/inaccessible/") && !startswith(path, "block-") && !startswith(path, "char-")) || strpbrk(path, WHITESPACE)) diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c index 20103c5e88..7fd711b8a4 100644 --- a/src/nspawn/nspawn-register.c +++ b/src/nspawn/nspawn-register.c @@ -112,7 +112,7 @@ int register_machine( * systemd-nspawn@.service, to keep the device * policies in sync regardless if we are run with or * without the --keep-unit switch. */ - r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9, + r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11, /* Allow the container to * access and create the API * device nodes, so that @@ -132,7 +132,11 @@ int register_machine( * container to ever create * these device nodes. */ "/dev/pts/ptmx", "rw", - "char-pts", "rw"); + "char-pts", "rw", + /* Allow /run/systemd/inaccessible/{chr,blk} + * devices inside the container */ + "/run/systemd/inaccessible/chr", "rwm", + "/run/systemd/inaccessible/blk", "rwm"); if (r < 0) return bus_log_create_error(r); diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index ea28941507..a88774a495 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -35,6 +35,8 @@ DeviceAllow=/dev/tty rwm DeviceAllow=/dev/net/tun rwm DeviceAllow=/dev/pts/ptmx rw DeviceAllow=char-pts rw +DeviceAllow=/run/systemd/inaccessible/chr rwm +DeviceAllow=/run/systemd/inaccessible/blk rwm # nspawn itself needs access to /dev/loop-control and /dev/loop, to # implement the --image= option. Add these here, too. |