From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 9 Sep 2024 18:38:13 +0000 (+0900)
Subject: nspawn: sync DeviceAllow= setting with systemd-nspawn@.service
X-Git-Tag: v257-rc1~503^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b86b90cec59d8a41f8cf5e9797980e81bd18082b;p=thirdparty%2Fsystemd.git

nspawn: sync DeviceAllow= setting with systemd-nspawn@.service

Follow-up for dc3223919f663b7c8b8d8d1d6072b4487df7709b.
Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748592958.

Otherwise, containers started with and without --keep-unit option run in
different device policies.
---

diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c
index 52f73844681..009f71f59fe 100644
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@@ -43,7 +43,7 @@ static int append_machine_properties(
                 return bus_log_create_error(r);
         if (enable_fuse) {
                 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1,
-                                          "/dev/fuse", "rw");
+                                          "/dev/fuse", "rwm");
                 if (r < 0)
                         return bus_log_create_error(r);
         }
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index c2f21c6cbba..0dec0e04785 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -36,9 +36,6 @@ TasksMax=16384
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
-{# /dev/fuse gets 'm' here even though it doesn't in nspawn-register.c, since
- # efedb6b0f3 (nspawn: refuse to bind mount device node from host when
- # --private-users= is specified, 2024-09-05) #}
 DeviceAllow=/dev/fuse rwm
 
 # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement