I've created a systemd-nspawn container in which /dev/fb1 from the host is bound as /dev/fb0. I've set PrivateUsers=off in the .nspawn config file, and the file ownership and permissions of /dev/fb0 in the container appear to be the same as /dev/fb1 on the host. Running cat /dev/urandom >/dev/fb1 on the host works as expected ('no space left on device' error), but if I boot the container, and log in to it as root (with machinectl) cat /dev/urandom >/dev/fb0 fails with 'Operation not permitted'. I also tried to write to it using dd -if /dev/urandom -of /dev/fb0, and that gave the error 'dd: failed to open '/dev/fb0': Operation not permitted'. I've tested other commands that would require root access, such as chmod and chown, and my root user in the container is able to run those.
If I bind /dev/fb1 as itself (i.e. just Bind=/dev/fb1), then the write operation is permitted.
Does anyone know why I can't open the file for writes from within the container?
This is the .nspawn config:
[Exec]
Capability=CAP_SYS_ADMIN
PrivateUsers=off
[Files]
Bind=/dev/fb1:/dev/fb0
Bind=/srv
This is the systemd-nspawn service override file for the container:
[Service]
DeviceAllow=/dev/fb0 rw
DeviceAllow=char-input rw
DeviceAllow=char-drm rw
(I'm sure some of this config is unnecessary -- I've just been chucking in everything I can think of to solve my problem.)
