From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 6 Aug 2018 05:02:28 +0000 (+0900)
Subject: namespace: implicitly adds DeviceAllow= when RootImage= is set
X-Git-Tag: v240~854^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe65e88ba6ad876baf759461fd99162f706dd35e;p=thirdparty%2Fsystemd.git

namespace: implicitly adds DeviceAllow= when RootImage= is set

RootImage= may require the following settings
```
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rwm
DeviceAllow=block-blkext rwm
```
This adds the following settings implicitly when RootImage= is
specified.

Fixes #9737.
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c898d226a7e..0b650fc67a6 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -124,7 +124,16 @@
         partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
         Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink
         url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions
-        Specification</ulink>.</para></listitem>
+        Specification</ulink>.</para>
+
+        <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or <literal>strict</literal>,
+        or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is set, then this setting adds
+        <filename>/dev/loop-control</filename> with <constant>rw</constant> mode, <literal>block-loop</literal> and
+        <literal>block-blkext</literal> with <constant>rwm</constant> mode to <varname>DeviceAllow=</varname>. See
+        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see
+        <varname>PrivateDevices=</varname> below, as it may change the setting of <varname>DevicePolicy=</varname>.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/core/unit.c b/src/core/unit.c
index 23433be31c4..17f4ff3ebd8 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4143,12 +4143,28 @@ int unit_patch_contexts(Unit *u) {
         }
 
         cc = unit_get_cgroup_context(u);
-        if (cc) {
+        if (cc && ec) {
 
-                if (ec &&
-                    ec->private_devices &&
+                if (ec->private_devices &&
                     cc->device_policy == CGROUP_AUTO)
                         cc->device_policy = CGROUP_CLOSED;
+
+                if (ec->root_image &&
+                    (cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
+
+                        /* When RootImage= is specified, the following devices are touched. */
+                        r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");
+                        if (r < 0)
+                                return r;
+
+                        r = cgroup_add_device_allow(cc, "block-loop", "rwm");
+                        if (r < 0)
+                                return r;
+
+                        r = cgroup_add_device_allow(cc, "block-blkext", "rwm");
+                        if (r < 0)
+                                return r;
+                }
         }
 
         return 0;