nspawn: move the accessibility check for device nodes into copy_devnode_one()

2025-03-25 18:50:18 +03:00 · 2025-02-18 23:35:13 +09:00 · 2025-02-18 23:35:13 +09:00 · 114d191a17
commit 114d191a17
parent c51e472bd4
1 changed files with 19 additions and 15 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2189,7 +2189,7 @@ static int bind_mount_devnode(const char *from, const char *to) {
        return 0;
 }

-static int copy_devnode_one(const char *dest, const char *node) {
+static int copy_devnode_one(const char *dest, const char *node, bool check) {
        int r;

        assert(dest);
@ -2201,6 +2201,19 @@ static int copy_devnode_one(const char *dest, const char *node) {
        if (!from)
                return log_oom();

+        if (check) {
+                /* If 'check' is true, create /dev/fuse only when it is accessible. The check is necessary,
+                 * as some custom service units that invoke systemd-nspawn may enable DevicePolicy= without
+                 * DeviceAllow= for the device node. */
+                _cleanup_close_ int fd = open(from, O_CLOEXEC|O_RDWR);
+                if (fd < 0) {
+                        log_debug_errno(errno,
+                                        "Failed to open %s, skipping creation of the device node in the container, ignoring: %m",
+                                        from);
+                        return 0;
+                }
+        }
+
        _cleanup_free_ char *to = path_join(dest, from);
        if (!to)
                return log_oom();
@ -2284,25 +2297,16 @@ static int copy_devnodes(const char *dest) {

        assert(dest);

+        /* Required basic device nodes. */
        FOREACH_STRING(node, "null", "zero", "full", "random", "urandom", "tty") {
-                r = copy_devnode_one(dest, node);
+                r = copy_devnode_one(dest, node, /* check = */ false);
                if (r < 0)
                        return r;
        }

-        /* Create /dev/fuse only when it is accessible. The check is necessary, as some custom service
-         * units that invoke nspawn may enable DevicePolicy= without DeviceAllow= for the device node. */
-        _cleanup_close_ int fuse_fd = open("/dev/fuse", O_CLOEXEC|O_RDWR);
-        if (fuse_fd >= 0) {
-                r = copy_devnode_one(dest, "fuse");
-                if (r < 0)
-                        return r;
-        }
-
-        /* Similarly, create /dev/net/tun only when it is accessible. */
-        _cleanup_close_ int tun_fd = open("/dev/net/tun", O_CLOEXEC|O_RDWR);
-        if (tun_fd >= 0) {
-                r = copy_devnode_one(dest, "net/tun");
+        /* Optional device nodes. */
+        FOREACH_STRING(node, "fuse", "net/tun") {
+                r = copy_devnode_one(dest, node, /* check = */ true);
                if (r < 0)
                        return r;
        }