I've created a systemd-nspawn container in which /dev/fb1 from the host is bound as /dev/fb0. I've set PrivateUsers=off in the .nspawn config file, and the file ownership and permissions of /dev/fb0 in the container appear to be the same as /dev/fb1 on the host. Running cat /dev/urandom >/dev/fb1 on the host works as expected ('no space left on device' error), but if I boot the container, and log in to it as root (with machinectl) cat /dev/urandom >/dev/fb0 fails with 'Operation not permitted'. I also tried to write to it using dd -if /dev/urandom -of /dev/fb0, and that gave the error 'dd: failed to open '/dev/fb0': Operation not permitted'. I've tested other commands that would require root access, such as chmod and chown, and my root user in the container is able to run those.
If I bind /dev/fb1 as itself (i.e. just Bind=/dev/fb1), then the write operation is permitted.
Does anyone know why I can't open the file for writes from within the container?
This is the .nspawn config:
[Exec] Capability=CAP_SYS_ADMIN PrivateUsers=off [Files] Bind=/dev/fb1:/dev/fb0 Bind=/srv This is the systemd-nspawn service override file for the container:
[Service] DeviceAllow=/dev/fb0 rw DeviceAllow=char-input rw DeviceAllow=char-drm rw (I'm sure some of this config is unnecessary -- I've just been chucking in everything I can think of to solve my problem.)
