core: make sure we can combine DevicePolicy=closed with PrivateDevices=yes

if PrivateDevices=yes is used we need to make sure we can still create /dev/null and so on.
2024-11-06 16:59:03 +03:00 · 2014-03-19 22:00:43 +01:00 · 2014-03-19 22:00:43 +01:00 · 7d711efb9c
commit 7d711efb9c
parent a3d59cd1b0
1 changed files with 11 additions and 5 deletions
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@ -364,16 +364,22 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
                if (c->device_policy == CGROUP_CLOSED ||
                    (c->device_policy == CGROUP_AUTO && c->device_allow)) {
                        static const char auto_devices[] =
-                                "/dev/null\0" "rw\0"
-                                "/dev/zero\0" "rw\0"
-                                "/dev/full\0" "rw\0"
-                                "/dev/random\0" "rw\0"
-                                "/dev/urandom\0" "rw\0";
+                                "/dev/null\0" "rwm\0"
+                                "/dev/zero\0" "rwm\0"
+                                "/dev/full\0" "rwm\0"
+                                "/dev/random\0" "rwm\0"
+                                "/dev/urandom\0" "rwm\0"
+                                "/dev/tty\0" "rwm\0"
+                                "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */

                        const char *x, *y;

                        NULSTR_FOREACH_PAIR(x, y, auto_devices)
                                whitelist_device(path, x, y);
+
+                        whitelist_major(path, "pts", 'c', "rw");
+                        whitelist_major(path, "kdbus", 'c', "rw");
+                        whitelist_major(path, "kdbus/*", 'c', "rw");
                }

                LIST_FOREACH(device_allow, a, c->device_allow) {