diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-07-27 18:04:11 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-11-29 20:21:40 +0100 |
| commit | 30874dda3a66c0639773dd23079662fc4bf53afd (patch) | |
| tree | aeae7d28a611e3a23781803f5a6ab500d3d5e2d7 /src/shared/dev-setup.h | |
| parent | nspawn: let's also pre-mount /dev/mqueue (diff) | |
| download | systemd-30874dda3a66c0639773dd23079662fc4bf53afd.tar.xz systemd-30874dda3a66c0639773dd23079662fc4bf53afd.zip | |
dev-setup: generalize logic we use to create "inaccessible" device nodes
Let's generalize this, so that we can use this in nspawn later on, which
is pretty useful as we need to be able to mask files from the inner
child of nspawn too, where the host's /run/systemd/inaccessible
directory is not visible anymore. Moreover, if nspawn can create these
nodes on its own before the payload this means the payload can run with
fewer privileges.
Diffstat (limited to 'src/shared/dev-setup.h')
| -rw-r--r-- | src/shared/dev-setup.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/shared/dev-setup.h b/src/shared/dev-setup.h index f105f2f20f..72b90ec4de 100644 --- a/src/shared/dev-setup.h +++ b/src/shared/dev-setup.h @@ -4,3 +4,5 @@ #include <sys/types.h> int dev_setup(const char *prefix, uid_t uid, gid_t gid); + +int make_inaccessible_nodes(const char *root, uid_t uid, gid_t gid); |