nspawn: make sure we install the device policy if nspawn is run as unit as on the...

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f43ffd97c51b2dcfb289d16dbb026c1e500fe501..29652e00e5b5026a00567739d13ba3a610c7456b 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2014,6 +2014,10 @@ static int register_machine(pid_t pid, int local_ifindex) {
                 if (r < 0)
                         return bus_log_create_error(r);
 
+                /* If you make changes here, also make sure to update
+                 * systemd-nspawn@.service, to keep the device
+                 * policies in sync regardless if we are run with or
+                 * without the --keep-unit switch. */
                 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
                                           /* Allow the container to
                                            * access and create the API

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 3e26b53fd68f933e50dbc5001725e94d37b61f71..6bfa55ac37562d30249950fdaaf8f8d3ef3de52c 100644 (file)
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -19,5 +19,19 @@ RestartForceExitStatus=133
 SuccessExitStatus=133
 Delegate=yes
 
+# Enforce a strict device policy, similar to the one nspawn configures
+# when it allocates its own scope unit. Make sure to keep these
+# policies in sync if you change them!
+DevicePolicy=strict
+DeviceAllow=/dev/null rwm
+DeviceAllow=/dev/zero rwm
+DeviceAllow=/dev/full rwm
+DeviceAllow=/dev/random rwm
+DeviceAllow=/dev/urandom rwm
+DeviceAllow=/dev/tty rwm
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/pts/ptmx rw
+DeviceAllow=char-pts rw
+
 [Install]
 WantedBy=machines.target