From 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 Mon Sep 17 00:00:00 2001 From: Dan Čermák Date: Wed, 21 Sep 2022 23:09:10 +0200 Subject: Don't mount /dev/tty* inside privileged containers running systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák --- test/system/030-run.bats | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'test/system') diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 2abf749a1..65a1150a3 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -901,4 +901,22 @@ $IMAGE--c_ok" \ run_podman rm $ctr_name } +@test "podman run --privileged as root with systemd will not mount /dev/tty" { + skip_if_rootless "this test only makes sense as root" + + ctr_name="container-$(random_string 5)" + run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause + + TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d') + + if [[ $TTYs = "" ]]; then + die "Did not find any /dev/ttyN devices on local host" + else + run_podman exec "$ctr_name" ls /dev/ + assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container" + fi + + run_podman stop "$ctr_name" +} + # vim: filetype=sh -- cgit v1.2.3-54-g00ecf