morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

nspawn: ignore failure in creating /dev/net/tun when --private-network is unspecified

Browse Source 
Follow-up for efedb6b0f3.
Closes #35116.
This commit is contained in:
Yu Watanabe
2024-11-13 13:36:11 +09:00
parent a1fcaa1549
commit 985ea98e7f
1 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/nspawn/nspawn.c
View File

@@ -2246,7 +2246,7 @@ static int bind_mount_devnode(const char *from, const char *to) {
return 0;
}
static int copy_devnode_one(const char *dest, const char *node) {
static int copy_devnode_one(const char *dest, const char *node, bool ignore_mknod_failure) {
int r;
assert(dest);
@@ -2290,13 +2290,23 @@ static int copy_devnode_one(const char *dest, const char *node) {
if (r == -EEXIST)
log_notice("%s/dev/ is pre-mounted and pre-populated. If a pre-mounted /dev/ is provided it needs to be an unpopulated file system.", dest);
/* If arg_uid_shift != 0, then we cannot fall back to use bind mount. */
if (arg_uid_shift != 0)
if (arg_uid_shift != 0) {
if (ignore_mknod_failure) {
log_debug_errno(r, "Failed to mknod(%s), ignoring: %m", to);
return 0;
}
return log_error_errno(r, "Failed to mknod(%s): %m", to);
}
/* Some systems abusively restrict mknod but allow bind mounts. */
if (bind_mount_devnode(from, to) < 0)
if (bind_mount_devnode(from, to) < 0) {
/* use the original error code. */
if (ignore_mknod_failure) {
log_debug_errno(r, "Both mknod() and bind mount %s failed, ignoring: %m", to);
return 0;
}
return log_error_errno(r, "Both mknod() and bind mount %s failed: %m", to);
}
} else {
/* mknod() succeeds, chown() it if necessary. */
r = userns_lchown(to, 0, 0);
@@ -2336,18 +2346,21 @@ static int copy_devnodes(const char *dest, bool enable_fuse) {
assert(dest);
FOREACH_STRING(node, "null", "zero", "full", "random", "urandom", "tty") {
r = copy_devnode_one(dest, node);
r = copy_devnode_one(dest, node, /* ignore_mknod_failure = */ false);
if (r < 0)
return r;
}
if (enable_fuse) {
r = copy_devnode_one(dest, "fuse");
r = copy_devnode_one(dest, "fuse", /* ignore_mknod_failure = */ false);
if (r < 0)
return r;
}
r = copy_devnode_one(dest, "net/tun");
/* We unconditionally try to create /dev/net/tun, but let's ignore failure if --private-network is
* unspecified. The failure can be triggered when e.g. DevicePolicy= is set, but DeviceAllow= does
* not contains the device node, and --private-users=pick is specified. */
r = copy_devnode_one(dest, "net/tun", /* ignore_mknod_failure = */ !arg_private_network);
if (r < 0)
return r;