nspawn: make /dev/kmsg unavailable in the container, but allow access to /proc/kmsg

2026-01-20 03:28:08 +00:00 · 2012-04-22 00:32:13 +02:00 · 2012-04-22 00:32:13 +02:00 · f1e5dfe2c0
commit f1e5dfe2c0
parent 461282d52a
2 changed files with 10 additions and 1 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -3123,7 +3123,6 @@ systemd-install-data-hook:
 		$(LN_S) ../system-services/org.freedesktop.systemd1.service org.freedesktop.systemd1.service )
 if HAVE_PLYMOUTH
 	$(MKDIR_P) -m 0755 \
-		$(DESTDIR)$(SYSTEM_SYSVINIT_PATH) \
 		$(DESTDIR)$(systemunitdir)/reboot.target.wants \
 		$(DESTDIR)$(systemunitdir)/kexec.target.wants \
 		$(DESTDIR)$(systemunitdir)/poweroff.target.wants \
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -394,6 +394,13 @@ static int setup_kmsg(const char *dest, int kmsg_socket) {

        u = umask(0000);

+        /* We create the kmsg FIFO as /dev/kmsg, but immediately
+         * delete it after bind mounting it to /proc/kmsg. While FIFOs
+         * on the reading side behave very similar to /proc/kmsg,
+         * their writing side behaves differently from /dev/kmsg in
+         * that writing blocks when nothing is reading. In order to
+         * avoid any problems with containers deadlocking due to this
+         * we simply make /dev/kmsg unavailable to the container. */
        if (asprintf(&from, "%s/dev/kmsg", dest) < 0) {
                log_error("Out of memory");
                r = -ENOMEM;
@ -456,6 +463,9 @@ static int setup_kmsg(const char *dest, int kmsg_socket) {
                goto finish;
        }

+        /* And now make the FIFO unavailable as /dev/kmsg... */
+        unlink(from);
+
 finish:
        free(from);
        free(to);