diff options
author | Dan Čermák <dcermak@suse.com> | 2022-09-21 23:09:10 +0200 |
---|---|---|
committer | Dan Čermák <dcermak@suse.com> | 2022-09-22 16:44:26 +0200 |
commit | 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (patch) | |
tree | 75d118cca1ec243b737e883651bbb6229e41722f | |
parent | 828fae12971c5a7b9807c8c4f8e029fe5d0ddc2f (diff) | |
download | podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.gz podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.bz2 podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.zip |
Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.
Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode
This fixes https://github.com/containers/podman/issues/15878
Signed-off-by: Dan Čermák <dcermak@suse.com>
-rw-r--r-- | libpod/container_internal_common.go | 6 | ||||
-rw-r--r-- | pkg/util/utils_freebsd.go | 2 | ||||
-rw-r--r-- | pkg/util/utils_linux.go | 5 | ||||
-rw-r--r-- | test/system/030-run.bats | 18 |
4 files changed, 28 insertions, 3 deletions
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 874e9affe..29107d4b6 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // If the flag to mount all devices is set for a privileged container, add // all the devices from the host's machine into the container if c.config.MountAllDevices { - if err := util.AddPrivilegedDevices(&g); err != nil { + systemdMode := false + if c.config.Systemd != nil { + systemdMode = *c.config.Systemd + } + if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil { return nil, err } } diff --git a/pkg/util/utils_freebsd.go b/pkg/util/utils_freebsd.go index 9b0d7c8c7..ba91308af 100644 --- a/pkg/util/utils_freebsd.go +++ b/pkg/util/utils_freebsd.go @@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) { return []string{}, errors.New("this function is not supported on freebsd") } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { return nil } diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go index 7b2d98666..07927db1c 100644 --- a/pkg/util/utils_linux.go +++ b/pkg/util/utils_linux.go @@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) { return nodes, nil } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { hostDevices, err := getDevices("/dev") if err != nil { return err @@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error { } } else { for _, d := range hostDevices { + if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") { + continue + } g.AddDevice(d) } // Add resources device - need to clear the existing one first. diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 2abf749a1..65a1150a3 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -901,4 +901,22 @@ $IMAGE--c_ok" \ run_podman rm $ctr_name } +@test "podman run --privileged as root with systemd will not mount /dev/tty" { + skip_if_rootless "this test only makes sense as root" + + ctr_name="container-$(random_string 5)" + run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause + + TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d') + + if [[ $TTYs = "" ]]; then + die "Did not find any /dev/ttyN devices on local host" + else + run_podman exec "$ctr_name" ls /dev/ + assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container" + fi + + run_podman stop "$ctr_name" +} + # vim: filetype=sh |