git.ipfire.org Git - thirdparty/systemd.git/commit - units/systemd-nspawn@.service.in

author	Iain Lane <iain.lane@canonical.com>
	Tue, 7 Jan 2020 14:33:29 +0000 (14:33 +0000)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 7 Jan 2020 17:37:30 +0000 (18:37 +0100)
commit	625077264ba01a108386eeea733ee244e6b7ff14
tree	467bc13e5b6dc3e9f323a8f9edcf51141e37e4c0	tree \| snapshot
parent	7a182f10343796eab92a8256e347c11b4be78ea7	commit \| diff

units: Split modprobing out into a separate service unit

Devices referred to by `DeviceAllow=` sandboxing are resolved into their
corresponding major numbers when the unit is loaded by looking at
`/proc/devices`. If a reference is made to a device which is not yet
available, the `DeviceAllow` is ignored and the unit's processes cannot
access that device.

In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe`
in `ExecStartPre=` to load some kernel modules. Those kernel modules
cause device nodes to become available when they are loaded: the device
nodes may not exist when the unit itself is loaded. This means that the
unit's processes will not be able to access the device since the
`DeviceAllow=` will have been resolved earlier and denied it.

One way to fix this would be to re-evaluate the available devices and
re-apply the policy to the cgroup, but this cannot work atomically on
cgroupsv1. So we fall back to a second approach: instead of running
`modprobe` via `ExecStartPre`, we move this out to a separate unit and
order it before the units which want the module.

Closes #14322.
Fixes: #13943.

units/meson.build		diff \| blob \| blame \| history
units/modprobe@.service	[new file with mode: 0644]	blob
units/systemd-logind.service.in		diff \| blob \| blame \| history
units/systemd-nspawn@.service.in		diff \| blob \| blame \| history