diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-04-28 20:46:03 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-04-28 21:34:23 +0200 |
commit | 773ce3d89c25aa51b0fe9085bd0eb7ba5e50508b (patch) | |
tree | 8269eb32c9b9a9be39b72842224b9f20ed5eaa08 | |
parent | a509f0e631b12cfec6aafe4d152532109082efc9 (diff) | |
download | systemd-773ce3d89c25aa51b0fe9085bd0eb7ba5e50508b.tar.gz systemd-773ce3d89c25aa51b0fe9085bd0eb7ba5e50508b.tar.bz2 systemd-773ce3d89c25aa51b0fe9085bd0eb7ba5e50508b.zip |
nspawn: make sure we install the device policy if nspawn is run as unit as on the command line
-rw-r--r-- | src/nspawn/nspawn.c | 4 | ||||
-rw-r--r-- | units/systemd-nspawn@.service.in | 14 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index f43ffd97c5..29652e00e5 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2014,6 +2014,10 @@ static int register_machine(pid_t pid, int local_ifindex) { if (r < 0) return bus_log_create_error(r); + /* If you make changes here, also make sure to update + * systemd-nspawn@.service, to keep the device + * policies in sync regardless if we are run with or + * without the --keep-unit switch. */ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9, /* Allow the container to * access and create the API diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 3e26b53fd6..6bfa55ac37 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -19,5 +19,19 @@ RestartForceExitStatus=133 SuccessExitStatus=133 Delegate=yes +# Enforce a strict device policy, similar to the one nspawn configures +# when it allocates its own scope unit. Make sure to keep these +# policies in sync if you change them! +DevicePolicy=strict +DeviceAllow=/dev/null rwm +DeviceAllow=/dev/zero rwm +DeviceAllow=/dev/full rwm +DeviceAllow=/dev/random rwm +DeviceAllow=/dev/urandom rwm +DeviceAllow=/dev/tty rwm +DeviceAllow=/dev/net/tun rwm +DeviceAllow=/dev/pts/ptmx rw +DeviceAllow=char-pts rw + [Install] WantedBy=machines.target |