diff options
Diffstat (limited to 'units')
| -rw-r--r-- | units/systemd-nspawn@.service.in | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index ff66d4090a..c2f21c6cbb 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -30,12 +30,16 @@ CoredumpReceive=yes TasksMax=16384 {{SERVICE_WATCHDOG}} -{# Enforce a strict device policy, similar to the one nspawn configures when it - # allocates its own scope unit. Make sure to keep these policies in sync if you - # change them! #} +{# Enforce a strict device policy, similar to the one nspawn configures (in + # nspawn-register.c:append_machine_properties()) when it allocates its own + # scope unit. Make sure to keep these policies in sync if you change them! #} DevicePolicy=closed DeviceAllow=/dev/net/tun rwm DeviceAllow=char-pts rw +{# /dev/fuse gets 'm' here even though it doesn't in nspawn-register.c, since + # efedb6b0f3 (nspawn: refuse to bind mount device node from host when + # --private-users= is specified, 2024-09-05) #} +DeviceAllow=/dev/fuse rwm # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement # the --image= option. Add these here, too. |