From a07f961e98456714e7516c75041d5150d8641776 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 11 Mar 2014 17:43:00 +0100 Subject: [PATCH] nspawn: allow using kdbus from nspawn containers --- src/nspawn/nspawn.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index cd31bd42c..1051b922c 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1258,7 +1258,7 @@ static int register_machine(pid_t pid) { return r; } - r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 8, + r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10, /* Allow the container to * access and create the API * device nodes, so that @@ -1277,7 +1277,18 @@ static int register_machine(pid_t pid) { * container to ever create * these device nodes. */ "/dev/pts/ptmx", "rw", - "char-pts", "rw"); + "char-pts", "rw", + /* Allow the container + * access to all kdbus + * devices. Again, the + * container cannot create + * these nodes, only use + * them. We use a pretty + * open match here, so that + * the kernel API can still + * change. */ + "char-kdbus", "rw", + "char-kdbus/*", "rw"); if (r < 0) { log_error("Failed to add device whitelist: %s", strerror(-r)); return r; -- 2.30.2