nspawn: enable major=0/minor=0 devices inside the container (#3773)

https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.

diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index 27bbe2d26d46a8b8d524dd538c375564696d1df9..6167ce92cd2030140bf8fb3435283940994022d3 100644 (file)
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -960,6 +960,7 @@ int bus_cgroup_set_property(
                 while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) {
 
                         if ((!startswith(path, "/dev/") &&
+                             !startswith(path, "/run/systemd/inaccessible/") &&
                              !startswith(path, "block-") &&
                              !startswith(path, "char-")) ||
                             strpbrk(path, WHITESPACE))

diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c
index 20103c5e8873dd4140fe818ea822391e0a9f75fe..7fd711b8a4a8a0f9bd73d1b976adcecd0896d62b 100644 (file)
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@@ -112,7 +112,7 @@ int register_machine(
                  * systemd-nspawn@.service, to keep the device
                  * policies in sync regardless if we are run with or
                  * without the --keep-unit switch. */
-                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
+                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11,
                                           /* Allow the container to
                                            * access and create the API
                                            * device nodes, so that
@@ -132,7 +132,11 @@ int register_machine(
                                            * container to ever create
                                            * these device nodes. */
                                           "/dev/pts/ptmx", "rw",
-                                          "char-pts", "rw");
+                                          "char-pts", "rw",
+                                          /* Allow /run/systemd/inaccessible/{chr,blk}
+                                           * devices inside the container */
+                                          "/run/systemd/inaccessible/chr", "rwm",
+                                          "/run/systemd/inaccessible/blk", "rwm");
                 if (r < 0)
                         return bus_log_create_error(r);
 

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index ea28941507d77ecfe163de00ef142c3505bd3ced..a88774a49529471682750546880dd2d7e6d67018 100644 (file)
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -35,6 +35,8 @@ DeviceAllow=/dev/tty rwm
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=/dev/pts/ptmx rw
 DeviceAllow=char-pts rw
+DeviceAllow=/run/systemd/inaccessible/chr rwm
+DeviceAllow=/run/systemd/inaccessible/blk rwm
 
 # nspawn itself needs access to /dev/loop-control and /dev/loop, to
 # implement the --image= option. Add these here, too.