diff options
author | Dan Čermák <dcermak@suse.com> | 2022-09-21 23:09:10 +0200 |
---|---|---|
committer | Dan Čermák <dcermak@suse.com> | 2022-09-22 16:44:26 +0200 |
commit | 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (patch) | |
tree | 75d118cca1ec243b737e883651bbb6229e41722f /pkg | |
parent | 828fae12971c5a7b9807c8c4f8e029fe5d0ddc2f (diff) | |
download | podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.gz podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.bz2 podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.zip |
Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.
Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode
This fixes https://github.com/containers/podman/issues/15878
Signed-off-by: Dan Čermák <dcermak@suse.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/util/utils_freebsd.go | 2 | ||||
-rw-r--r-- | pkg/util/utils_linux.go | 5 |
2 files changed, 5 insertions, 2 deletions
diff --git a/pkg/util/utils_freebsd.go b/pkg/util/utils_freebsd.go index 9b0d7c8c7..ba91308af 100644 --- a/pkg/util/utils_freebsd.go +++ b/pkg/util/utils_freebsd.go @@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) { return []string{}, errors.New("this function is not supported on freebsd") } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { return nil } diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go index 7b2d98666..07927db1c 100644 --- a/pkg/util/utils_linux.go +++ b/pkg/util/utils_linux.go @@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) { return nodes, nil } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { hostDevices, err := getDevices("/dev") if err != nil { return err @@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error { } } else { for _, d := range hostDevices { + if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") { + continue + } g.AddDevice(d) } // Add resources device - need to clear the existing one first. |