cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particula...

[elogind.git] / src / core / dbus-cgroup.c

diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index 792f37eef588e8ac5add4d38283b5fc2dc7b57a5..b8a77254d94d20da932ca57a7143b6c58a5c694b 100644 (file)
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -442,8 +442,11 @@ int bus_cgroup_set_property(
 
                 while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) {
 
-                        if (!path_startswith(path, "/dev"))
-                                return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
+                        if ((!startswith(path, "/dev/") &&
+                             !startswith(path, "block-") &&
+                             !startswith(path, "char-")) ||
+                            strpbrk(path, WHITESPACE))
+                            return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
 
                         if (isempty(rwm))
                                 rwm = "rwm";