From: Alessandro Puccetti <alessandro@kinvolk.io>
Date: Fri, 22 Jul 2016 10:00:49 +0000 (+0200)
Subject: cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy.
X-Git-Tag: v231.3~62
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=4da9c491f22937fad26adb18cb74e3bd48c7dc17

cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy.

https://github.com/elogind/elogind/pull/3685 introduced
/run/elogind/inaccessible/{chr,blk} to map inacessible devices,
this patch allows elogind running inside a nspawn container to create
/run/elogind/inaccessible/{chr,blk}.
---

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ec53ce73f..3e01690c9 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -745,7 +745,10 @@ static void cgroup_context_apply(Unit *u, CGroupMask mask, ManagerState state) {
                                 "/dev/random\0" "rwm\0"
                                 "/dev/urandom\0" "rwm\0"
                                 "/dev/tty\0" "rwm\0"
-                                "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                "/dev/pts/ptmx\0" "rw\0" /* /dev/pts/ptmx may not be duplicated, but accessed */
+                                /* Allow /run/elogind/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+                                "/run/elogind/inaccessible/chr\0" "rwm\0"
+                                "/run/elogind/inaccessible/blk\0" "rwm\0";
 
                         const char *x, *y;