aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorDan Čermák <dcermak@suse.com>2022-09-21 23:09:10 +0200
committerDan Čermák <dcermak@suse.com>2022-09-22 16:44:26 +0200
commit5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (patch)
tree75d118cca1ec243b737e883651bbb6229e41722f /pkg
parent828fae12971c5a7b9807c8c4f8e029fe5d0ddc2f (diff)
downloadpodman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.gz
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.bz2
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.zip
Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/util/utils_freebsd.go2
-rw-r--r--pkg/util/utils_linux.go5
2 files changed, 5 insertions, 2 deletions
diff --git a/pkg/util/utils_freebsd.go b/pkg/util/utils_freebsd.go
index 9b0d7c8c7..ba91308af 100644
--- a/pkg/util/utils_freebsd.go
+++ b/pkg/util/utils_freebsd.go
@@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) {
return []string{}, errors.New("this function is not supported on freebsd")
}
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
return nil
}
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 7b2d98666..07927db1c 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) {
return nodes, nil
}
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
hostDevices, err := getDevices("/dev")
if err != nil {
return err
@@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error {
}
} else {
for _, d := range hostDevices {
+ if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") {
+ continue
+ }
g.AddDevice(d)
}
// Add resources device - need to clear the existing one first.