From 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 Mon Sep 17 00:00:00 2001 From: Dan Čermák Date: Wed, 21 Sep 2022 23:09:10 +0200 Subject: Don't mount /dev/tty* inside privileged containers running systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák --- libpod/container_internal_common.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'libpod') diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 874e9affe..29107d4b6 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // If the flag to mount all devices is set for a privileged container, add // all the devices from the host's machine into the container if c.config.MountAllDevices { - if err := util.AddPrivilegedDevices(&g); err != nil { + systemdMode := false + if c.config.Systemd != nil { + systemdMode = *c.config.Systemd + } + if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil { return nil, err } } -- cgit v1.2.3-54-g00ecf