<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nspawn: block devices passed to --bind/bind-ro are not accessible inside the container"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90385">90385</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nspawn: block devices passed to --bind/bind-ro are not accessible inside the container
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>code@stefanjunker.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=115666" name="attach_115666" title="patch - nspawn - DeviceAllow for block devices that are passed --bind/--bind-ro">attachment 115666</a> <a href="attachment.cgi?id=115666&action=edit" title="patch - nspawn - DeviceAllow for block devices that are passed --bind/--bind-ro">[details]</a></span>
patch - nspawn - DeviceAllow for block devices that are passed --bind/--bind-ro

When systemd-nspawn is called with the --bind or --bind-ro arguments and passed
a block device, e.g. /dev/mmcblk0p1, the device is not accessible inside the
container due to cgroup restrictions.

Testing or more generally running software that is only supposed to access
specific block devices would be a convenient use-case for containers, with
virtual machines being the conservative method for this. The fact that
--bind/--bind-ro supports renaming paths for mounting them inside the container
could be useful for running predefined routines that use a fixed device name,
which can be swapped very easily by simply changing an argument for the
specific container instance.

Blocking access to all system block devices is a good safety measure. Providing
users with the possibility to override this for specific devices is a good
feature.

I've attached a patch which adds detection of block devices to the
mount_bind(). For every blockdevice source file the DeviceAllow property will
be set for the scope of the machine that is being started.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>