[systemd-devel] How to Restrict device in systemd?

Mohit Agrawal moagrawa at redhat.com
Wed Jun 4 00:16:46 PDT 2014 

Hi Kirill,


Thanks for your valuable reply.As per man page DeviceAllow(Use to control access to specific device nodes by the executed process,This also controls the devices.allow and devices.deny both My query is how it is controls the device.deny),I am assuming after update DevicePolicy to strict means only process can be used allowed type of devices no other devices but after add the DevicePolicy also it is trying to create the file on /root/file_1.

DeviceAllow=
           Control access to specific device nodes by the executed
           processes. Takes two space-separated strings: a device node path
           (such as /dev/null) followed by a combination of r, w, m to
           control reading, writing, or creation of the specific device node
           by the unit (mknod), respectively. This controls the
           "devices.allow" and "devices.deny" control group attributes. For
           details about these control group attributes, see devices.txt[4].

       DevicePolicy=auto|closed|strict
           Control the policy for allowing device access:

           strict
               means to only allow types of access that are explicitly
               specified.

[Unit]
Description=mydevblock
[Service]
DeviceAllow=/dev/zero
DevicePolicy=strict
ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400
Restart=always
[Install]
WantedBy=multi-user.target

I believe it should restrict to create the file .


Regards
Mohit Agrawal



----- Original Message -----
From: "Kirill Elagin" <kirelagin at gmail.com>
To: "Mohit Agrawal" <moagrawa at redhat.com>
Cc: "systemd Mailing List" <systemd-devel at lists.freedesktop.org>
Sent: Wednesday, June 4, 2014 12:17:46 PM
Subject: Re: [systemd-devel] How to Restrict device in systemd?

First of all, according to docs, `DeviceAllow` syntax is somewhat different
from what you have.
Second, you might want to check `DevicePolicy`, as now your unit has access
not only to `/dev/zero`, but also to four other devices.

And hm, I thought, those directives control access to device nodes. Why are
you expecting them to limit access to the filesystem?


--
Кирилл Елагин


On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagrawa at redhat.com> wrote:

> Hi,
>
> I want to block the device through the systemd cgroup so I have created a
> below unit file
>
> [Unit]
> Description=mydevblock
> [Service]
> DeviceAllow=/dev/zero
> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40
> Restart=always
> [Install]
> WantedBy=multi-user.target
>
>
> As per my understanding in this unit file I have allowed only /dev/zero
> device so dd command should not create the file_1 successfully it should
> give the error .
>
> systemctl start mydevblock.service
>
> Below is the status after start the service and file_1 is successfully
> created
>
> [host-name ~]# systemctl status mydevblock.service
> ● mydev.service - mydevblock
>    Loaded: loaded (/etc/systemd/system/mydev.service; disabled)
>    Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 IST;
> 831ms ago
>   Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M
> count=40 (code=exited, status=0/SUCCESS)
>  Main PID: 27800 (code=exited, status=0/SUCCESS)
>
> Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over,
> scheduling restart.
> Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...
> Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...
> Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request
> repeated too quickly, refusing to start.
> Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.
> Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed
> state.
>
> [host-name> ~]# ls -lrt
> -rw-r--r--. 1 root root 41943040 Jun  4 11:32 file_1
>
>
> Can someone reply why file_1 is created successfully?
> Do anyone have idea how can i put the restriction on device?
> Appreciate your inputs on this.
>
>
> Regards
> Mohit Agrawal
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>

More information about the systemd-devel mailing list