diff options
| author | Luca Boccassi <bluca@debian.org> | 2022-10-20 01:37:08 +0200 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2022-10-20 13:11:10 +0200 |
| commit | 63857bf4f7a5dd48a2b971d9bae2c06cc829b630 (patch) | |
| tree | 32520d2af100b8dec81215fe6c8147c212aa6e9e /src | |
| parent | man: document effect of --user on --unit with journalctl (diff) | |
| download | systemd-63857bf4f7a5dd48a2b971d9bae2c06cc829b630.tar.xz systemd-63857bf4f7a5dd48a2b971d9bae2c06cc829b630.zip | |
core: allow-list char-rtc with ProtectClock=yes only if needed
Allow-listing a device implicitly blocks everything else, so this
has the opposite of the intended effect when PrivateDevices= is
not used.
Allow-list char-rtc only if there is a device policy set.
Fixes https://github.com/systemd/systemd/issues/18142
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/unit.c | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/src/core/unit.c b/src/core/unit.c index d0f7188613..d08c73613b 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4143,35 +4143,37 @@ int unit_patch_contexts(Unit *u) { cc->device_policy == CGROUP_DEVICE_POLICY_AUTO) cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED; - if ((ec->root_image || ec->mount_images) && - (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) { + /* Only add these if needed, as they imply that everything else is blocked. */ + if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) { + if (ec->root_image || ec->mount_images) { + + /* When RootImage= or MountImages= is specified, the following devices are touched. */ + FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") { + r = cgroup_add_device_allow(cc, p, "rw"); + if (r < 0) + return r; + } + FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") { + r = cgroup_add_device_allow(cc, p, "rwm"); + if (r < 0) + return r; + } - /* When RootImage= or MountImages= is specified, the following devices are touched. */ - FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") { - r = cgroup_add_device_allow(cc, p, "rw"); - if (r < 0) - return r; - } - FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") { - r = cgroup_add_device_allow(cc, p, "rwm"); - if (r < 0) - return r; + /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices. + * Same for mapper and verity. */ + FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") { + r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE); + if (r < 0) + return r; + } } - /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices. - * Same for mapper and verity. */ - FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") { - r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE); + if (ec->protect_clock) { + r = cgroup_add_device_allow(cc, "char-rtc", "r"); if (r < 0) return r; } } - - if (ec->protect_clock) { - r = cgroup_add_device_allow(cc, "char-rtc", "r"); - if (r < 0) - return r; - } } return 0; |