mirror of
https://github.com/systemd/systemd.git
synced 2025-03-13 00:58:27 +03:00
625077264b
Devices referred to by `DeviceAllow=` sandboxing are resolved into their corresponding major numbers when the unit is loaded by looking at `/proc/devices`. If a reference is made to a device which is not yet available, the `DeviceAllow` is ignored and the unit's processes cannot access that device. In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe` in `ExecStartPre=` to load some kernel modules. Those kernel modules cause device nodes to become available when they are loaded: the device nodes may not exist when the unit itself is loaded. This means that the unit's processes will not be able to access the device since the `DeviceAllow=` will have been resolved earlier and denied it. One way to fix this would be to re-evaluate the available devices and re-apply the policy to the cgroup, but this cannot work atomically on cgroupsv1. So we fall back to a second approach: instead of running `modprobe` via `ExecStartPre`, we move this out to a separate unit and order it before the units which want the module. Closes #14322. Fixes: #13943.
System and Service Manager
Details
General information about systemd can be found in the systemd Wiki.
Information about build requirements is provided in the README file.
Consult our NEWS file for information about what's new in the most recent systemd versions.
Please see the Hacking guide for information on how to hack on systemd and test your modifications.
Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.
When preparing patches for systemd, please follow our Coding Style Guidelines.
If you are looking for support, please contact our mailing list or join our IRC channel.
Stable branches with backported patches are available in the stable repo.