cgroup: support prefix "-" in cgroups whitelisting entries (#4687)

So far systemd-nspawn container has been creating files under
/run/systemd/inaccessible, no matter whether it's running in user
namespace or not. That's fine for regular files, dirs, socks, fifos.
However, it's not for block and character devices, because kernel
doesn't allow them to be created under user namespace. It results
in warnings at booting like that:

====
  Couldn't stat device /run/systemd/inaccessible/chr
  Couldn't stat device /run/systemd/inaccessible/blk
====

Thus we need to have the cgroups whitelisting handler to silently ignore
a file, when the device path is prefixed with "-". That's exactly the
same convention used in directives like ReadOnlyPaths=. Also insert the
prefix "-" to inaccessible entries.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index bd6248406f8dd5c7429c975ff610776db72b936f..6dab6e90437cae96225a550138046ca534b2ce89 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -293,8 +293,11 @@ static int whitelist_device(const char *path, const char *node, const char *acc)
         assert(acc);
 
         if (stat(node, &st) < 0) {
-                log_warning("Couldn't stat device %s", node);
-                return -errno;
+                /* path starting with "-" must be silently ignored */
+                if (errno == ENOENT && startswith(node, "-"))
+                        return 0;
+
+                return log_warning_errno(errno, "Couldn't stat device %s: %m", node);
         }
 
         if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
@@ -914,8 +917,8 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
                                 "/dev/tty\0" "rwm\0"
                                 "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
                                 /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
-                                "/run/systemd/inaccessible/chr\0" "rwm\0"
-                                "/run/systemd/inaccessible/blk\0" "rwm\0";
+                                "-/run/systemd/inaccessible/chr\0" "rwm\0"
+                                "-/run/systemd/inaccessible/blk\0" "rwm\0";
 
                         const char *x, *y;