diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-11-08 16:09:28 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-11-10 23:22:15 +0100 |
| commit | a9aac7d8dd8939d48df5dba391fae43bf34afcdf (patch) | |
| tree | 566dd20e19aba6ca07a456fe705c5b9ea86076c5 /src | |
| parent | 124e05b3b60c253d83ba5e122aca34be719391ff (diff) | |
| download | systemd-a9aac7d8dd8939d48df5dba391fae43bf34afcdf.tar.gz | |
core: also split out helper to handle static device nodes
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/bpf-devices.c | 30 | ||||
| -rw-r--r-- | src/core/bpf-devices.h | 1 | ||||
| -rw-r--r-- | src/core/cgroup.c | 23 |
3 files changed, 33 insertions, 21 deletions
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 41b751b83a..dd38a61981 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -7,6 +7,7 @@ #include "bpf-program.h" #include "fd-util.h" #include "fileio.h" +#include "nulstr-util.h" #include "parse-util.h" #include "stat-util.h" #include "stdio-util.h" @@ -417,3 +418,32 @@ int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char * return 0; } + +int bpf_devices_whitelist_static(BPFProgram *prog, const char *path) { + static const char auto_devices[] = + "/dev/null\0" "rwm\0" + "/dev/zero\0" "rwm\0" + "/dev/full\0" "rwm\0" + "/dev/random\0" "rwm\0" + "/dev/urandom\0" "rwm\0" + "/dev/tty\0" "rwm\0" + "/dev/ptmx\0" "rwm\0" + /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ + "/run/systemd/inaccessible/chr\0" "rwm\0" + "/run/systemd/inaccessible/blk\0" "rwm\0"; + int r = 0, k; + + const char *node, *acc; + NULSTR_FOREACH_PAIR(node, acc, auto_devices) { + k = bpf_devices_whitelist_device(prog, path, node, acc); + if (r >= 0 && k < 0) + r = k; + } + + /* PTS (/dev/pts) devices may not be duplicated, but accessed */ + k = bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw"); + if (r >= 0 && k < 0) + r = k; + + return r; +} diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h index 744d5f8fa0..cd5f074bba 100644 --- a/src/core/bpf-devices.h +++ b/src/core/bpf-devices.h @@ -13,3 +13,4 @@ int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy polic int bpf_devices_supported(void); int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc); int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *name, char type, const char *acc); +int bpf_devices_whitelist_static(BPFProgram *prog, const char *path); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 9857a68770..475e7df23f 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -16,7 +16,6 @@ #include "fd-util.h" #include "fileio.h" #include "fs-util.h" -#include "nulstr-util.h" #include "parse-util.h" #include "path-util.h" #include "process-util.h" @@ -1254,26 +1253,8 @@ static void cgroup_context_apply( } if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED || - (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) { - static const char auto_devices[] = - "/dev/null\0" "rwm\0" - "/dev/zero\0" "rwm\0" - "/dev/full\0" "rwm\0" - "/dev/random\0" "rwm\0" - "/dev/urandom\0" "rwm\0" - "/dev/tty\0" "rwm\0" - "/dev/ptmx\0" "rwm\0" - /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ - "/run/systemd/inaccessible/chr\0" "rwm\0" - "/run/systemd/inaccessible/blk\0" "rwm\0"; - - const char *node, *acc; - NULSTR_FOREACH_PAIR(node, acc, auto_devices) - (void) bpf_devices_whitelist_device(prog, path, node, acc); - - /* PTS (/dev/pts) devices may not be duplicated, but accessed */ - (void) bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw"); - } + (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) + (void) bpf_devices_whitelist_static(prog, path); LIST_FOREACH(device_allow, a, c->device_allow) { char acc[4], *val; |