[systemd-devel] DeviceAllow=/dev/net/tun in systemd-nspawn at .service has no effect
Gibeom Gwon
gb.gwon at stackframe.dev
Tue Feb 22 03:32:44 UTC 2022
Hello,
Just out of curiosity, I commented out DeviceAllow=/dev/net/tun rwm in
systemd-nspawn at .service and tried running. A failure was expected, but
it was not.
copy_devnodes() in src/nspawn/nspawn.c executes mknod() on /dev/net/tun,
EPERM is expected because DeviceAllow=/dev/net/tun rwm does not exist.
But /dev/net/tun was created and systemd-nspawn was not failed.
Doesn't DeviceAllow= apply to child processes spawned by
raw_clone(SIGCHLD|CLONE_NEWNS) or any other reasons?
I'm using arch linux, kernel is 5.16.10 and systemd is 250.3.
Here is the output. I also commented out
DeviceAllow=char-pts rw and it didn't fail:
sh-5.1# tail -n 20 /usr/lib/systemd/system/systemd-nspawn\@.service
TasksMax=16384
WatchdogSec=3min
DevicePolicy=closed
#DeviceAllow=/dev/net/tun rwm
#DeviceAllow=char-pts rw
# nspawn itself needs access to /dev/loop-control and /dev/loop, to
implement
# the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw
# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw
[Install]
WantedBy=machines.target
sh-5.1# systemctl start systemd-nspawn at test
sh-5.1# machinectl
MACHINE CLASS SERVICE OS VERSION ADDRESSES
test container systemd-nspawn arch - -
1 machines listed.
sh-5.1# machinectl shell test
Connected to machine test. Press ^] three times within 1s to exit session.
[root at test ~]# ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Feb 20 05:13 /dev/net/tun
Regards,
Gibeom Gwon
More information about the systemd-devel
mailing list