From: Zbigniew Jędrzejewski-Szmek Date: Fri, 8 Nov 2019 15:09:28 +0000 (+0100) Subject: core: also split out helper to handle static device nodes X-Git-Tag: v244-rc1~62^2~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a9aac7d8dd8939d48df5dba391fae43bf34afcdf;p=thirdparty%2Fsystemd.git core: also split out helper to handle static device nodes --- diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 41b751b83a4..dd38a619819 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -7,6 +7,7 @@ #include "bpf-program.h" #include "fd-util.h" #include "fileio.h" +#include "nulstr-util.h" #include "parse-util.h" #include "stat-util.h" #include "stdio-util.h" @@ -417,3 +418,32 @@ int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char * return 0; } + +int bpf_devices_whitelist_static(BPFProgram *prog, const char *path) { + static const char auto_devices[] = + "/dev/null\0" "rwm\0" + "/dev/zero\0" "rwm\0" + "/dev/full\0" "rwm\0" + "/dev/random\0" "rwm\0" + "/dev/urandom\0" "rwm\0" + "/dev/tty\0" "rwm\0" + "/dev/ptmx\0" "rwm\0" + /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ + "/run/systemd/inaccessible/chr\0" "rwm\0" + "/run/systemd/inaccessible/blk\0" "rwm\0"; + int r = 0, k; + + const char *node, *acc; + NULSTR_FOREACH_PAIR(node, acc, auto_devices) { + k = bpf_devices_whitelist_device(prog, path, node, acc); + if (r >= 0 && k < 0) + r = k; + } + + /* PTS (/dev/pts) devices may not be duplicated, but accessed */ + k = bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw"); + if (r >= 0 && k < 0) + r = k; + + return r; +} diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h index 744d5f8fa00..cd5f074bba2 100644 --- a/src/core/bpf-devices.h +++ b/src/core/bpf-devices.h @@ -13,3 +13,4 @@ int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy polic int bpf_devices_supported(void); int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc); int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *name, char type, const char *acc); +int bpf_devices_whitelist_static(BPFProgram *prog, const char *path); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 9857a687700..475e7df23f0 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -16,7 +16,6 @@ #include "fd-util.h" #include "fileio.h" #include "fs-util.h" -#include "nulstr-util.h" #include "parse-util.h" #include "path-util.h" #include "process-util.h" @@ -1254,26 +1253,8 @@ static void cgroup_context_apply( } if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED || - (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) { - static const char auto_devices[] = - "/dev/null\0" "rwm\0" - "/dev/zero\0" "rwm\0" - "/dev/full\0" "rwm\0" - "/dev/random\0" "rwm\0" - "/dev/urandom\0" "rwm\0" - "/dev/tty\0" "rwm\0" - "/dev/ptmx\0" "rwm\0" - /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ - "/run/systemd/inaccessible/chr\0" "rwm\0" - "/run/systemd/inaccessible/blk\0" "rwm\0"; - - const char *node, *acc; - NULSTR_FOREACH_PAIR(node, acc, auto_devices) - (void) bpf_devices_whitelist_device(prog, path, node, acc); - - /* PTS (/dev/pts) devices may not be duplicated, but accessed */ - (void) bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw"); - } + (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) + (void) bpf_devices_whitelist_static(prog, path); LIST_FOREACH(device_allow, a, c->device_allow) { char acc[4], *val;