core: un-break PrivateDevices= by allowing it to mknod /dev/ptmx

#7886 caused PrivateDevices= to silently fail-open.
https://github.com/systemd/systemd/pull/7886#issuecomment-358542849

Allow PrivateDevices= to succeed, in creating /dev/ptmx, even though
DeviceControl=closed applies.

No specific justification was given for blocking mknod of /dev/ptmx.  Only
that we didn't seem to need it, because we weren't creating it correctly as
a device node.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index d08b4a07870649a5be2faa4b6742c8ad5e59932a..c2c4ef1b428c8d15bde6004929b5aabcf71f8136 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -978,7 +978,7 @@ static void cgroup_context_apply(
                                 "/dev/random\0" "rwm\0"
                                 "/dev/urandom\0" "rwm\0"
                                 "/dev/tty\0" "rwm\0"
-                                "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                "/dev/ptmx\0" "rwm\0"
                                 /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
                                 "-/run/systemd/inaccessible/chr\0" "rwm\0"
                                 "-/run/systemd/inaccessible/blk\0" "rwm\0";
@@ -988,6 +988,7 @@ static void cgroup_context_apply(
                         NULSTR_FOREACH_PAIR(x, y, auto_devices)
                                 whitelist_device(path, x, y);
 
+                        /* PTS (/dev/pts) devices may not be duplicated, but accessed */
                         whitelist_major(path, "pts", 'c', "rw");
                 }