mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 06:25:37 +03:00
core: allow-list char-rtc with ProtectClock=yes only if needed
Allow-listing a device implicitly blocks everything else, so this has the opposite of the intended effect when PrivateDevices= is not used. Allow-list char-rtc only if there is a device policy set. Fixes https://github.com/systemd/systemd/issues/18142
This commit is contained in:
parent
3d218676fc
commit
63857bf4f7
@ -4143,34 +4143,36 @@ int unit_patch_contexts(Unit *u) {
|
||||
cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
|
||||
cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
|
||||
|
||||
if ((ec->root_image || ec->mount_images) &&
|
||||
(cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
|
||||
/* Only add these if needed, as they imply that everything else is blocked. */
|
||||
if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) {
|
||||
if (ec->root_image || ec->mount_images) {
|
||||
|
||||
/* When RootImage= or MountImages= is specified, the following devices are touched. */
|
||||
FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
|
||||
r = cgroup_add_device_allow(cc, p, "rw");
|
||||
/* When RootImage= or MountImages= is specified, the following devices are touched. */
|
||||
FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
|
||||
r = cgroup_add_device_allow(cc, p, "rw");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
|
||||
r = cgroup_add_device_allow(cc, p, "rwm");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
/* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
|
||||
* Same for mapper and verity. */
|
||||
FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
|
||||
r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
if (ec->protect_clock) {
|
||||
r = cgroup_add_device_allow(cc, "char-rtc", "r");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
|
||||
r = cgroup_add_device_allow(cc, p, "rwm");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
/* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
|
||||
* Same for mapper and verity. */
|
||||
FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
|
||||
r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
if (ec->protect_clock) {
|
||||
r = cgroup_add_device_allow(cc, "char-rtc", "r");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user