aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Čermák <dcermak@suse.com>2022-09-21 23:09:10 +0200
committerDan Čermák <dcermak@suse.com>2022-09-22 16:44:26 +0200
commit5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (patch)
tree75d118cca1ec243b737e883651bbb6229e41722f
parent828fae12971c5a7b9807c8c4f8e029fe5d0ddc2f (diff)
downloadpodman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.gz
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.bz2
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.zip
Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
-rw-r--r--libpod/container_internal_common.go6
-rw-r--r--pkg/util/utils_freebsd.go2
-rw-r--r--pkg/util/utils_linux.go5
-rw-r--r--test/system/030-run.bats18
4 files changed, 28 insertions, 3 deletions
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index 874e9affe..29107d4b6 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// If the flag to mount all devices is set for a privileged container, add
// all the devices from the host's machine into the container
if c.config.MountAllDevices {
- if err := util.AddPrivilegedDevices(&g); err != nil {
+ systemdMode := false
+ if c.config.Systemd != nil {
+ systemdMode = *c.config.Systemd
+ }
+ if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil {
return nil, err
}
}
diff --git a/pkg/util/utils_freebsd.go b/pkg/util/utils_freebsd.go
index 9b0d7c8c7..ba91308af 100644
--- a/pkg/util/utils_freebsd.go
+++ b/pkg/util/utils_freebsd.go
@@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) {
return []string{}, errors.New("this function is not supported on freebsd")
}
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
return nil
}
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 7b2d98666..07927db1c 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) {
return nodes, nil
}
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
hostDevices, err := getDevices("/dev")
if err != nil {
return err
@@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error {
}
} else {
for _, d := range hostDevices {
+ if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") {
+ continue
+ }
g.AddDevice(d)
}
// Add resources device - need to clear the existing one first.
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 2abf749a1..65a1150a3 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -901,4 +901,22 @@ $IMAGE--c_ok" \
run_podman rm $ctr_name
}
+@test "podman run --privileged as root with systemd will not mount /dev/tty" {
+ skip_if_rootless "this test only makes sense as root"
+
+ ctr_name="container-$(random_string 5)"
+ run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause
+
+ TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d')
+
+ if [[ $TTYs = "" ]]; then
+ die "Did not find any /dev/ttyN devices on local host"
+ else
+ run_podman exec "$ctr_name" ls /dev/
+ assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container"
+ fi
+
+ run_podman stop "$ctr_name"
+}
+
# vim: filetype=sh