From 0d9e799102674c50e0755686a6b93f933d9f49a3 Mon Sep 17 00:00:00 2001
From: Alessandro Puccetti <alessandro@kinvolk.io>
Date: Fri, 22 Jul 2016 12:00:49 +0200
Subject: cgroup: whitelist inaccessible devices for "auto" and "closed"
 DevicePolicy.

https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.
---
 src/core/cgroup.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/core')

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 8b0f11ed50..c19e43f571 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -800,7 +800,10 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
                                 "/dev/random\0" "rwm\0"
                                 "/dev/urandom\0" "rwm\0"
                                 "/dev/tty\0" "rwm\0"
-                                "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+                                "/run/systemd/inaccessible/chr\0" "rwm\0"
+                                "/run/systemd/inaccessible/blk\0" "rwm\0";
 
                         const char *x, *y;
 
-- 
cgit v1.2.3-54-g00ecf