populate_sys: allow device access

The systemd test suite does not like having no access to /sys/dev and
other trees related to devices. Optionally provide them. Properly
virtualizing them likely requires lxcfs or similar.

1 files changed, 15 insertions, 0 deletions

diff --git a/linuxnamespaces/__init__.py b/linuxnamespaces/__init__.py
index 8853c07..8c1def3 100644
--- a/linuxnamespaces/__init__.py
+++ b/linuxnamespaces/__init__.py
@@ -526,12 +526,20 @@ def populate_proc(
 def populate_sys(
     origroot: AtLocationLike,
     newroot: PathConvertible,
+    namespaces: CloneFlags,
     rootcgroup: PathConvertible | None = None,
     module: bool = True,
+    devices: bool = False,
 ) -> None:
     """Create a /sys hierarchy below newroot. Bind the cgroup hierarchy. The
     cgroup hierarchy will be mounted read-only if mounting the root group.
 
+    The module parameter indicates whether the /sys/module should be made
+    available read-only (True) or not at all (False). The devices parameter
+    indicates whether the devices hierarchy should be made available. If the
+    given namespaces happen to include a network namespace, virtual network
+    devices will be modifiable.
+
     A process with CAP_SYS_ADMIN can remount the created bind mounts read-write
     or umount hiding mounts and thus elevate their privileges.
     """
@@ -548,6 +556,13 @@ def populate_sys(
         )
     if module:
         bind_mounts["module"] = ("module", True)
+    if devices:
+        for subdir in ("bus", "class", "dev", "devices"):
+            bind_mounts[subdir] = (subdir, True)
+    if namespaces & CloneFlags.NEWNET:
+        if not devices:
+            bind_mounts["class/net"] = ("class/net", True)
+        bind_mounts["devices/virtual/net"] = ("devices/virtual/net", False)
 
     bind_fds: dict[str, AtLocation] = {}
     with contextlib.ExitStack() as exitstack: