chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
nspawn: fix DeviceAllow list
[elogind.git]
/
src
/
nspawn
/
nspawn.c
diff --git
a/src/nspawn/nspawn.c
b/src/nspawn/nspawn.c
index 4c1cfabca457facd2475b43ee2c9d391e5f90b9a..c567c8d2720fb8ae210e49f22107ccb0154fdc2a 100644
(file)
--- a/
src/nspawn/nspawn.c
+++ b/
src/nspawn/nspawn.c
@@
-1101,7
+1101,8
@@
static int copy_devnodes(const char *dest) {
"full\0"
"random\0"
"urandom\0"
"full\0"
"random\0"
"urandom\0"
- "tty\0";
+ "tty\0"
+ "net/tun\0";
const char *d;
int r = 0;
const char *d;
int r = 0;
@@
-1132,10
+1133,17
@@
static int copy_devnodes(const char *dest) {
log_error("%s is not a char or block device, cannot copy", from);
return -EIO;
log_error("%s is not a char or block device, cannot copy", from);
return -EIO;
- } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
+ } else {
+ r = mkdir_parents(to, 0775);
+ if (r < 0) {
+ log_error("Failed to create parent directory of %s: %s", to, strerror(-r));
+ return -r;
+ }
- log_error("mknod(%s) failed: %m", dest);
- return -errno;
+ if (mknod(to, st.st_mode, st.st_rdev) < 0) {
+ log_error("mknod(%s) failed: %m", dest);
+ return -errno;
+ }
}
}
}
}
@@
-1537,7
+1545,7
@@
static int register_machine(pid_t pid, int local_ifindex) {
return r;
}
return r;
}
- r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1
0
,
+ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1
1
,
/* Allow the container to
* access and create the API
* device nodes, so that
/* Allow the container to
* access and create the API
* device nodes, so that
@@
-1550,6
+1558,7
@@
static int register_machine(pid_t pid, int local_ifindex) {
"/dev/random", "rwm",
"/dev/urandom", "rwm",
"/dev/tty", "rwm",
"/dev/random", "rwm",
"/dev/urandom", "rwm",
"/dev/tty", "rwm",
+ "/dev/net/tun", "rwm",
/* Allow the container
* access to ptys. However,
* do not permit the
/* Allow the container
* access to ptys. However,
* do not permit the
@@
-2607,20
+2616,27
@@
static int mount_devices(
static void loop_remove(int nr, int *image_fd) {
_cleanup_close_ int control = -1;
static void loop_remove(int nr, int *image_fd) {
_cleanup_close_ int control = -1;
+ int r;
if (nr < 0)
return;
if (image_fd && *image_fd >= 0) {
if (nr < 0)
return;
if (image_fd && *image_fd >= 0) {
- ioctl(*image_fd, LOOP_CLR_FD);
+ r = ioctl(*image_fd, LOOP_CLR_FD);
+ if (r < 0)
+ log_warning("Failed to close loop image: %m");
*image_fd = safe_close(*image_fd);
}
control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
*image_fd = safe_close(*image_fd);
}
control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
- if (control < 0)
+ if (control < 0) {
+ log_warning("Failed to open /dev/loop-control: %m");
return;
return;
+ }
- ioctl(control, LOOP_CTL_REMOVE, nr);
+ r = ioctl(control, LOOP_CTL_REMOVE, nr);
+ if (r < 0)
+ log_warning("Failed to remove loop %d: %m", nr);
}
static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
}
static int spawn_getent(const char *database, const char *key, pid_t *rpid) {