nspawn: sync DeviceAllow= setting with systemd-nspawn@.service

Follow-up for dc3223919f663b7c8b8d8d1d6072b4487df7709b.
Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748592958.

Otherwise, containers started with and without --keep-unit option run in
different device policies.

diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c
index 52f738446810ed1776f6668236c7643f80dd6311..009f71f59fe15b5dc8ac1ccb82ba4cf2fee21c42 100644 (file)
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@@ -43,7 +43,7 @@ static int append_machine_properties(
                 return bus_log_create_error(r);
         if (enable_fuse) {
                 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1,
-                                          "/dev/fuse", "rw");
+                                          "/dev/fuse", "rwm");
                 if (r < 0)
                         return bus_log_create_error(r);
         }

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index c2f21c6cbba03af5c643547a68fd4a73a02603bc..0dec0e04785424da0ffb418154ff5082beee2789 100644 (file)
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -36,9 +36,6 @@ TasksMax=16384
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
-{# /dev/fuse gets 'm' here even though it doesn't in nspawn-register.c, since
- # efedb6b0f3 (nspawn: refuse to bind mount device node from host when
- # --private-users= is specified, 2024-09-05) #}
 DeviceAllow=/dev/fuse rwm
 
 # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement