nspawn: make /dev/kmsg unavailable in the container, but allow access to /proc/kmsg

[elogind.git] / src / nspawn / nspawn.c

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 90c8b94248b406c3baefca74fd272e2a6c609462..71cdd3f39f27e23ab248dc84058ccf437f2f7399 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -394,6 +394,13 @@ static int setup_kmsg(const char *dest, int kmsg_socket) {
 
         u = umask(0000);
 
+        /* We create the kmsg FIFO as /dev/kmsg, but immediately
+         * delete it after bind mounting it to /proc/kmsg. While FIFOs
+         * on the reading side behave very similar to /proc/kmsg,
+         * their writing side behaves differently from /dev/kmsg in
+         * that writing blocks when nothing is reading. In order to
+         * avoid any problems with containers deadlocking due to this
+         * we simply make /dev/kmsg unavailable to the container. */
         if (asprintf(&from, "%s/dev/kmsg", dest) < 0) {
                 log_error("Out of memory");
                 r = -ENOMEM;
@@ -456,6 +463,9 @@ static int setup_kmsg(const char *dest, int kmsg_socket) {
                 goto finish;
         }
 
+        /* And now make the FIFO unavailable as /dev/kmsg... */
+        unlink(from);
+
 finish:
         free(from);
         free(to);