core: do not make private /dev/ read-only too soon

author Luca Boccassi <bluca@debian.org>

Thu, 7 Dec 2023 22:19:11 +0000 (22:19 +0000)

committer Yu Watanabe <watanabe.yu+github@gmail.com>

Fri, 8 Dec 2023 02:09:14 +0000 (11:09 +0900)
author Luca Boccassi <bluca@debian.org>
Thu, 7 Dec 2023 22:19:11 +0000 (22:19 +0000)
committer Yu Watanabe <watanabe.yu+github@gmail.com>
Fri, 8 Dec 2023 02:09:14 +0000 (11:09 +0900)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 1a4d15a8004e2d336762d1e9cf7a8114e9b93e96..50d7b05aa094f9cd9ab1c8601ffc50ae2b00bcf7 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1070,11 +1070,6 @@ static int mount_private_dev(MountEntry *m, RuntimeScope scope) {
          if (r < 0)
                  log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
  
-        /* Make the bind mount read-only. */
-        r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
-        if (r < 0)
-                return r;
-
          /* Create the /dev directory if missing. It is more likely to be missing when the service is started
           * with RootDirectory. This is consistent with mount units creating the mount points when missing. */
          (void) mkdir_p_label(mount_entry_path(m), 0755);
diff --git a/src/test/test-execute.c b/src/test/test-execute.c

index 9a03e291a03f6ec21710b587e9089c49e3337087..88e4c8d4d93dff0da3be63d9c0f4d81c2f62274a 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -438,6 +438,8 @@ static void test_exec_privatedevices(Manager *m) {
  
          test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
          test(m, "exec-privatedevices-no.service", 0, CLD_EXITED);
+        if (access("/dev/kvm", F_OK) >= 0)
+                test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
          test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
          test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
  
diff --git a/test/test-execute/exec-privatedevices-bind.service b/test/test-execute/exec-privatedevices-bind.service

new file mode 100644 (file)

index 0000000..dbbbb4e
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-bind.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateDevices=yes with a bind mounted device
+
+[Service]
+ExecStart=/bin/sh -c 'test -c /dev/kmsg'
+ExecStart=/bin/sh -c 'test ! -w /dev/'
+Type=oneshot
+PrivateDevices=yes
+BindPaths=/dev/kmsg
author	Luca Boccassi <bluca@debian.org>
	Thu, 7 Dec 2023 22:19:11 +0000 (22:19 +0000)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Fri, 8 Dec 2023 02:09:14 +0000 (11:09 +0900)
src/core/namespace.c		patch \| blob \| blame \| history
src/test/test-execute.c		patch \| blob \| blame \| history
test/test-execute/exec-privatedevices-bind.service	[new file with mode: 0644]	patch \| blob