[systemd-devel] DeviceAllow=/dev/net/tun in systemd-nspawn at .service has no effect

Gibeom Gwon gb.gwon at stackframe.dev
Tue Feb 22 03:32:44 UTC 2022


Hello,

Just out of curiosity, I commented out DeviceAllow=/dev/net/tun rwm in
systemd-nspawn at .service and tried running. A failure was expected, but
it was not.

copy_devnodes() in src/nspawn/nspawn.c executes mknod() on /dev/net/tun,
EPERM is expected because DeviceAllow=/dev/net/tun rwm does not exist.
But /dev/net/tun was created and systemd-nspawn was not failed.

Doesn't DeviceAllow= apply to child processes spawned by
raw_clone(SIGCHLD|CLONE_NEWNS) or any other reasons?

I'm using arch linux, kernel is 5.16.10 and systemd is 250.3.

Here is the output. I also commented out
DeviceAllow=char-pts rw and it didn't fail:

sh-5.1# tail -n 20 /usr/lib/systemd/system/systemd-nspawn\@.service
TasksMax=16384
WatchdogSec=3min

DevicePolicy=closed
#DeviceAllow=/dev/net/tun rwm
#DeviceAllow=char-pts rw

# nspawn itself needs access to /dev/loop-control and /dev/loop, to
implement
# the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw

# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw

[Install]
WantedBy=machines.target
sh-5.1# systemctl start systemd-nspawn at test
sh-5.1# machinectl
MACHINE CLASS     SERVICE        OS   VERSION ADDRESSES
test    container systemd-nspawn arch -       -

1 machines listed.
sh-5.1# machinectl shell test
Connected to machine test. Press ^] three times within 1s to exit session.
[root at test ~]# ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Feb 20 05:13 /dev/net/tun

Regards,
Gibeom Gwon


More information about the systemd-devel mailing list