nspawn: enable major=0/minor=0 devices inside the container (#3773)

https://github.com/systemd/systemd/pull/3685 introduced /run/systemd/inaccessible/{chr,blk} to map inacessible devices, this patch allows systemd running inside a nspawn container to create /run/systemd/inaccessible/{chr,blk}.
2024-07-22 10:44:58 +00:00 · 2016-07-21 17:39:38 +02:00 · 2016-07-21 17:39:38 +02:00 · 31d28eabc1
parent 4d07c8d386
commit 31d28eabc1
3 changed files with 9 additions and 2 deletions
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@ -960,6 +960,7 @@ int bus_cgroup_set_property(
                while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) {

                        if ((!startswith(path, "/dev/") &&
+                             !startswith(path, "/run/systemd/inaccessible/") &&
                             !startswith(path, "block-") &&
                             !startswith(path, "char-")) ||
                            strpbrk(path, WHITESPACE))
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@ -112,7 +112,7 @@ int register_machine(
                 * systemd-nspawn@.service, to keep the device
                 * policies in sync regardless if we are run with or
                 * without the --keep-unit switch. */
-                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
+                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11,
                                          /* Allow the container to
                                           * access and create the API
                                           * device nodes, so that
@ -132,7 +132,11 @@ int register_machine(
                                           * container to ever create
                                           * these device nodes. */
                                          "/dev/pts/ptmx", "rw",
-                                          "char-pts", "rw");
+                                          "char-pts", "rw",
+                                          /* Allow /run/systemd/inaccessible/{chr,blk}
+                                           * devices inside the container */
+                                          "/run/systemd/inaccessible/chr", "rwm",
+                                          "/run/systemd/inaccessible/blk", "rwm");
                if (r < 0)
                        return bus_log_create_error(r);

--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@ -35,6 +35,8 @@ DeviceAllow=/dev/tty rwm
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=/dev/pts/ptmx rw
 DeviceAllow=char-pts rw
+DeviceAllow=/run/systemd/inaccessible/chr rwm
+DeviceAllow=/run/systemd/inaccessible/blk rwm

 # nspawn itself needs access to /dev/loop-control and /dev/loop, to
 # implement the --image= option. Add these here, too.