cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy.

https://github.com/elogind/elogind/pull/3685 introduced
/run/elogind/inaccessible/{chr,blk} to map inacessible devices,
this patch allows elogind running inside a nspawn container to create
/run/elogind/inaccessible/{chr,blk}.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ec53ce73f15e965853762526befd13b5efdd0498..3e01690c9a3ed052dfad2f56d057c93ecc83c359 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -745,7 +745,10 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
                                 "/dev/random\0" "rwm\0"
                                 "/dev/urandom\0" "rwm\0"
                                 "/dev/tty\0" "rwm\0"
-                                "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                /* Allow /run/elogind/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+                                "/run/elogind/inaccessible/chr\0" "rwm\0"
+                                "/run/elogind/inaccessible/blk\0" "rwm\0";
 
                         const char *x, *y;