mirror of
https://github.com/systemd/systemd
synced 2024-09-06 16:56:43 +00:00
core: do not make private /dev/ read-only too soon
The read-only bit is flipped after setting up all the mounts, so that bind mounts can be added. Remove the early config, and add a unit test. Fixes https://github.com/systemd/systemd/issues/30372
This commit is contained in:
parent
0122c7d060
commit
ae7482b994
|
@ -1070,11 +1070,6 @@ static int mount_private_dev(MountEntry *m, RuntimeScope scope) {
|
|||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
|
||||
|
||||
/* Make the bind mount read-only. */
|
||||
r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Create the /dev directory if missing. It is more likely to be missing when the service is started
|
||||
* with RootDirectory. This is consistent with mount units creating the mount points when missing. */
|
||||
(void) mkdir_p_label(mount_entry_path(m), 0755);
|
||||
|
|
|
@ -438,6 +438,8 @@ static void test_exec_privatedevices(Manager *m) {
|
|||
|
||||
test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-no.service", 0, CLD_EXITED);
|
||||
if (access("/dev/kvm", F_OK) >= 0)
|
||||
test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
|
||||
|
||||
|
|
10
test/test-execute/exec-privatedevices-bind.service
Normal file
10
test/test-execute/exec-privatedevices-bind.service
Normal file
|
@ -0,0 +1,10 @@
|
|||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test for PrivateDevices=yes with a bind mounted device
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -c 'test -c /dev/kmsg'
|
||||
ExecStart=/bin/sh -c 'test ! -w /dev/'
|
||||
Type=oneshot
|
||||
PrivateDevices=yes
|
||||
BindPaths=/dev/kmsg
|
Loading…
Reference in a new issue