From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Sep 2012 06:39:55 +0000 (-0700)
Subject: tmpfiles: don't attempt creation of device nodes when we run in a container
X-Git-Tag: v190~160
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=cb7ed9dfca647198bce95f503552710eae22da37;hp=dcc9ba80e160bb6e2ed97c7ee343953721702b0c

tmpfiles: don't attempt creation of device nodes when we run in a container
---

diff --git a/Makefile.am b/Makefile.am
index ae775c8c3..f88d193b4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1296,7 +1296,8 @@ systemd_tmpfiles_SOURCES = \
 
 systemd_tmpfiles_LDADD = \
 	libsystemd-label.la \
-	libsystemd-shared.la
+	libsystemd-shared.la \
+	libsystemd-capability.la
 
 # ------------------------------------------------------------------------------
 systemd_machine_id_setup_SOURCES = \
diff --git a/TODO b/TODO
index c7f789b9b..326edb0af 100644
--- a/TODO
+++ b/TODO
@@ -61,11 +61,9 @@ Features:
 
 * json: properly serialize multiple fields with the same name per entry
 
-* journalctl: make -l the default
-
 * journald: add option to choose between "split up nothing", "split up login user journals", "split up all user journals"
 
-* journal live copy, bsaed on libneon (client) and libmicrohttpd
+* journal live copy, based on libneon (client) and libmicrohttpd
 
 * document in wiki json serialization
 
@@ -81,8 +79,6 @@ Features:
 
 * system.conf should have controls for cgroups
 
-* tmpfiles: skip mknod if CAP_MKNOD is missing
-
 * bind mount read-only the cgroup tree higher than than nspawn
 
 * currently system services appear not to generate core dumps...
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index e70332ca0..323781f97 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -38,6 +38,7 @@
 #include <sys/param.h>
 #include <glob.h>
 #include <fnmatch.h>
+#include <sys/capability.h>
 
 #include "log.h"
 #include "util.h"
@@ -47,6 +48,7 @@
 #include "label.h"
 #include "set.h"
 #include "conf-files.h"
+#include "capability.h"
 
 /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
  * them in the file system. This is intended to be used to create
@@ -764,7 +766,19 @@ static int create_item(Item *i) {
 
         case CREATE_BLOCK_DEVICE:
         case CREATE_CHAR_DEVICE: {
-                mode_t file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
+                mode_t file_type;
+
+                if (have_effective_cap(CAP_MKNOD) == 0) {
+                        /* In a container we lack CAP_MKNOD. We
+                        shouldnt attempt to create the device node in
+                        that case to avoid noise, and we don't support
+                        virtualized devices in containers anyway. */
+
+                        log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path);
+                        return 0;
+                }
+
+                file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
 
                 u = umask(0);
                 label_context_set(i->path, file_type);