picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

core: add device mapper to allow-list with DevicePolicy=closed and RootImage 

To set up a verity/cryptsetup RootImage the forked child needs to
ioctl /dev/mapper/control and create a new mapper.
If PrivateDevices=yes and/or DevicePolicy=closed are used, this is
blocked by the cgroup setting, so add an exception like it's done
for loop devices (and also add a dependency on the kernel modules
implementing them).
This commit is contained in:
Luca Boccassi 2020-06-26 12:19:48 +01:00 committed by Lennart Poettering
parent b47261e5cb
commit 0cffae953a
1 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/core/unit.c
View File

@ -4524,24 +4524,27 @@ int unit_patch_contexts(Unit *u) {
if (ec->root_image && if (ec->root_image &&
(cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) { (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
const char *p;
/* When RootImage= is specified, the following devices are touched. */ /* When RootImage= is specified, the following devices are touched. */
r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw"); FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
if (r < 0) r = cgroup_add_device_allow(cc, p, "rw");
return r; if (r < 0)
return r;
}
FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
r = cgroup_add_device_allow(cc, p, "rwm");
if (r < 0)
return r;
}
r = cgroup_add_device_allow(cc, "block-loop", "rwm"); /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
if (r < 0) * Same for mapper and verity. */
return r; FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
r = cgroup_add_device_allow(cc, "block-blkext", "rwm"); if (r < 0)
if (r < 0) return r;
return r; }
/* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices */
r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "modprobe@loop.service", true, UNIT_DEPENDENCY_FILE);
if (r < 0)
return r;
} }
if (ec->protect_clock) { if (ec->protect_clock) {