@@ -23,10 +23,18 @@ func systemdProperties(r *configs.Resources, sdVer int) ([]systemdDbus.Property,
2323 }
2424
2525 properties := []systemdDbus.Property {
26+ // When we later add DeviceAllow=/dev/foo properties, we are
27+ // appending devices to the allow list for the unit. However,
28+ // if this is an existing unit, it already has DeviceAllow=
29+ // entries, and we need to clear them all before applying the
30+ // new set. (We also do this for new units, mainly for safety
31+ // to ensure we only enable the devices we expect.)
32+ //
33+ // To clear any existing DeviceAllow= rules, we have to add an
34+ // empty DeviceAllow= property.
35+ newProp ("DeviceAllow" , []deviceAllowEntry {}),
2636 // Always run in the strictest white-list mode.
2737 newProp ("DevicePolicy" , "strict" ),
28- // Empty the DeviceAllow array before filling it.
29- newProp ("DeviceAllow" , []deviceAllowEntry {}),
3038 }
3139
3240 // Figure out the set of rules.
@@ -239,7 +247,7 @@ func allowAllDevices() []systemdDbus.Property {
239247 // Setting mode to auto and removing all DeviceAllow rules
240248 // results in allowing access to all devices.
241249 return []systemdDbus.Property {
242- newProp ("DevicePolicy" , "auto" ),
243250 newProp ("DeviceAllow" , []deviceAllowEntry {}),
251+ newProp ("DevicePolicy" , "auto" ),
244252 }
245253}
0 commit comments