https://bugzilla.suse.com/show_bug.cgi?id=1202821 https://bugzilla.suse.com/show_bug.cgi?id=1202821#c18 --- Comment #18 from Michal Koutn� <mkoutny@suse.com> --- (In reply to Michal Koutn� from comment #13)
me (systemd, +cc systemd-maintainers) may want to check why device rules are not properly applied.
From the dump:
-> Unit libpod-955b615b984df586c92fdc7177ab4a8338bdbad109c3b9fc151ec90e7f420812.scope: ... CGroup realized: yes CGroup realized mask: cpu cpuset io memory pids bpf-firewall bpf-devices bpf-foreign ... DeviceAllow: /dev/char/10:200 rwm DeviceAllow: /dev/char/5:2 rwm DeviceAllow: /dev/char/5:0 rwm DeviceAllow: /dev/char/1:9 rwm DeviceAllow: /dev/char/1:8 rwm DeviceAllow: /dev/char/1:7 rwm DeviceAllow: /dev/char/1:5 rwm DeviceAllow: /dev/char/1:3 rwm
This shows that systemd realized bpf-devices (i.e. BPF programs attached) and DeviceAllow: list does not list the pts wildcard. /dev/pts devices should not be accessible at this moment. They are allowed though because runc modifies BPF predicates (thanks Fabian for checking with bpftool) but doesn't tell systemd about that. After `systemctl daemon-reload` PID just applies what it was told about, that's correct behavior. -- You are receiving this mail because: You are on the CC list for the bug.