From ce5b3ad4508fa6d561fcccff0852afaace1d82ac Mon Sep 17 00:00:00 2001
From: Stefan Junker <code@stefanjunker.de>
Date: Thu, 14 May 2015 22:51:05 +0200
Subject: nspawn: allow access to device nodes listed in --bind= and --bind-ro=
 switches

https://bugs.freedesktop.org/show_bug.cgi?id=90385
---
 src/nspawn/nspawn.c | 19 +++++++++++++++++++
 src/shared/util.c   |  9 +++++++++
 src/shared/util.h   |  1 +
 3 files changed, 29 insertions(+)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index fbf23440f7..8aa7b451bb 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2210,6 +2210,7 @@ static int register_machine(pid_t pid, int local_ifindex) {
         } else {
                 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
                 char **i;
+                unsigned j;
 
                 r = sd_bus_message_new_method_call(
                                 bus,
@@ -2276,6 +2277,24 @@ static int register_machine(pid_t pid, int local_ifindex) {
                 if (r < 0)
                         return bus_log_create_error(r);
 
+                for (j = 0; j < arg_n_custom_mounts; j++) {
+                        CustomMount *cm = &arg_custom_mounts[j];
+
+                        if (cm->type != CUSTOM_MOUNT_BIND)
+                                continue;
+
+                        r = is_device_node(cm->source);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to stat %s: %m", cm->source);
+
+                        if (r) {
+                                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1,
+                                        cm->source, cm->read_only ? "r" : "rw");
+                                if (r < 0)
+                                        return log_error_errno(r, "Failed to append message arguments: %m");
+                        }
+                }
+
                 if (arg_kill_signal != 0) {
                         r = sd_bus_message_append(m, "(sv)", "KillSignal", "i", arg_kill_signal);
                         if (r < 0)
diff --git a/src/shared/util.c b/src/shared/util.c
index 72711e133a..dda88bd2ee 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -5435,6 +5435,15 @@ int is_dir(const char* path, bool follow) {
         return !!S_ISDIR(st.st_mode);
 }
 
+int is_device_node(const char *path) {
+        struct stat info;
+
+        if (lstat(path, &info) < 0)
+                return -errno;
+
+        return !!(S_ISBLK(info.st_mode) || S_ISCHR(info.st_mode));
+}
+
 int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
         _cleanup_free_ char *s = NULL;
         size_t allocated = 0, sz = 0;
diff --git a/src/shared/util.h b/src/shared/util.h
index 0c81e3dc45..22f505c0cb 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -852,6 +852,7 @@ int take_password_lock(const char *root);
 
 int is_symlink(const char *path);
 int is_dir(const char *path, bool follow);
+int is_device_node(const char *path);
 
 typedef enum UnquoteFlags {
         UNQUOTE_RELAX     = 1,
-- 
cgit v1.2.3-54-g00ecf