nspawn: set DevicesPolicy closed and clean up duplicated devices

2016-07-22 11:58:03 +02:00 · 2016-07-22 11:58:03 +02:00 · 54cd6556b3
parent b3d1d51603
commit 54cd6556b3
2 changed files with 4 additions and 24 deletions
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@ -104,7 +104,7 @@ int register_machine(
                                return bus_log_create_error(r);
                }

-                r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
+                r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "closed");
                if (r < 0)
                        return bus_log_create_error(r);

@ -112,31 +112,20 @@ int register_machine(
                 * systemd-nspawn@.service, to keep the device
                 * policies in sync regardless if we are run with or
                 * without the --keep-unit switch. */
-                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11,
+                r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 2,
                                          /* Allow the container to
                                           * access and create the API
                                           * device nodes, so that
                                           * PrivateDevices= in the
                                           * container can work
                                           * fine */
-                                          "/dev/null", "rwm",
-                                          "/dev/zero", "rwm",
-                                          "/dev/full", "rwm",
-                                          "/dev/random", "rwm",
-                                          "/dev/urandom", "rwm",
-                                          "/dev/tty", "rwm",
                                          "/dev/net/tun", "rwm",
                                          /* Allow the container
                                           * access to ptys. However,
                                           * do not permit the
                                           * container to ever create
                                           * these device nodes. */
-                                          "/dev/pts/ptmx", "rw",
-                                          "char-pts", "rw",
-                                          /* Allow /run/systemd/inaccessible/{chr,blk}
-                                           * devices inside the container */
-                                          "/run/systemd/inaccessible/chr", "rwm",
-                                          "/run/systemd/inaccessible/blk", "rwm");
+                                          "char-pts", "rw");
                if (r < 0)
                        return bus_log_create_error(r);

--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@ -25,18 +25,9 @@ TasksMax=16384
 # Enforce a strict device policy, similar to the one nspawn configures
 # when it allocates its own scope unit. Make sure to keep these
 # policies in sync if you change them!
-DevicePolicy=strict
-DeviceAllow=/dev/null rwm
-DeviceAllow=/dev/zero rwm
-DeviceAllow=/dev/full rwm
-DeviceAllow=/dev/random rwm
-DeviceAllow=/dev/urandom rwm
-DeviceAllow=/dev/tty rwm
+DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
-DeviceAllow=/dev/pts/ptmx rw
 DeviceAllow=char-pts rw
-DeviceAllow=/run/systemd/inaccessible/chr rwm
-DeviceAllow=/run/systemd/inaccessible/blk rwm

 # nspawn itself needs access to /dev/loop-control and /dev/loop, to
 # implement the --image= option. Add these here, too.