From b431088c81fb37e1e38220213bc9dbf79ffe3239 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 5 Sep 2024 15:05:32 +0900 Subject: [PATCH] nspawn: refuse to bind mount device node from host when --private-users= is specified Also do not chown if a device node is bind-mounted. Fixes #34243. (cherry picked from commit efedb6b0f3cff37950112fd37cb750c16d599bc7) (cherry picked from commit a23591891b9e85107f39d103eabbb5bc9a6ced6f) (cherry picked from commit bc72d9557cdc0411ce95543238f95d82b5ce4a72) --- src/nspawn/nspawn.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 316902e37f..aab6f8e268 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2264,7 +2264,7 @@ static int copy_devnodes(const char *dest) { /* Explicitly warn the user when /dev is already populated. */ if (errno == EEXIST) log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest); - if (errno != EPERM) + if (errno != EPERM || arg_uid_shift != 0) return log_error_errno(errno, "mknod(%s) failed: %m", to); /* Some systems abusively restrict mknod but allow bind mounts. */ @@ -2274,12 +2274,12 @@ static int copy_devnodes(const char *dest) { r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL); if (r < 0) return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to); + } else { + r = userns_lchown(to, 0, 0); + if (r < 0) + return log_error_errno(r, "chown() of device node %s failed: %m", to); } - r = userns_lchown(to, 0, 0); - if (r < 0) - return log_error_errno(r, "chown() of device node %s failed: %m", to); - dn = path_join("/dev", S_ISCHR(st.st_mode) ? "char" : "block"); if (!dn) return log_oom();