mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
namespace: implicitly adds DeviceAllow= when RootImage= is set
RootImage= may require the following settings ``` DeviceAllow=/dev/loop-control rw DeviceAllow=block-loop rwm DeviceAllow=block-blkext rwm ``` This adds the following settings implicitly when RootImage= is specified. Fixes #9737.
This commit is contained in:
parent
fd870bac25
commit
fe65e88ba6
@ -124,7 +124,16 @@
|
||||
partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
|
||||
Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink
|
||||
url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions
|
||||
Specification</ulink>.</para></listitem>
|
||||
Specification</ulink>.</para>
|
||||
|
||||
<para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or <literal>strict</literal>,
|
||||
or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is set, then this setting adds
|
||||
<filename>/dev/loop-control</filename> with <constant>rw</constant> mode, <literal>block-loop</literal> and
|
||||
<literal>block-blkext</literal> with <constant>rwm</constant> mode to <varname>DeviceAllow=</varname>. See
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see
|
||||
<varname>PrivateDevices=</varname> below, as it may change the setting of <varname>DevicePolicy=</varname>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
@ -4143,12 +4143,28 @@ int unit_patch_contexts(Unit *u) {
|
||||
}
|
||||
|
||||
cc = unit_get_cgroup_context(u);
|
||||
if (cc) {
|
||||
if (cc && ec) {
|
||||
|
||||
if (ec &&
|
||||
ec->private_devices &&
|
||||
if (ec->private_devices &&
|
||||
cc->device_policy == CGROUP_AUTO)
|
||||
cc->device_policy = CGROUP_CLOSED;
|
||||
|
||||
if (ec->root_image &&
|
||||
(cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
|
||||
|
||||
/* When RootImage= is specified, the following devices are touched. */
|
||||
r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = cgroup_add_device_allow(cc, "block-loop", "rwm");
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = cgroup_add_device_allow(cc, "block-blkext", "rwm");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
Loading…
Reference in New Issue
Block a user