[systemd-devel] How to Restrict device in systemd?

Kirill Elagin kirelagin at gmail.com
Wed Jun 11 10:57:47 PDT 2014 

By the way, reading throw the NEWS I thought you might be interested in
`InaccessibleDirectories=/` or something like that


--
Кирилл Елагин


On Wed, Jun 4, 2014 at 1:18 PM, Mohit Agrawal <moagrawa at redhat.com> wrote:

> Hi,
>
> Thanks to share the example of unit file,now query is resolved.
>
>
> Regards
> Mohit Agrawal
>
> ----- Original Message -----
> From: "Kirill Elagin" <kirelagin at gmail.com>
> To: "Mohit Agrawal" <moagrawa at redhat.com>
> Cc: "systemd Mailing List" <systemd-devel at lists.freedesktop.org>
> Sent: Wednesday, June 4, 2014 1:03:47 PM
> Subject: Re: [systemd-devel] How to Restrict device in systemd?
>
> Here is a proof that this kind of limiting for devices actually works. This
> service is trying to read the first byte of `/dev/sda1` but is allowed to
> access `/dev/zero` only:
>
> ~~~~~~~
> [Unit]
> Description=test
> [Service]
> Type=oneshot
> ExecStart=/bin/head /dev/sda1 -c 1
> DeviceAllow=/dev/zero r
> DevicePolicy=strict
> ~~~~~~~~~~
>
> ~~~~~~~~~
> # systemctl start bar.service
> Job for bar.service failed. See 'systemctl status bar.service' and
> 'journalctl -xn' for details.
>
> # systemctl status bar.service
> <...>
> Jun 04 11:30:53 kirNote head[26237]: /bin/head: cannot open ‘/dev/sda1’ for
> reading: Operation not permitted
> Jun 04 11:30:53 kirNote systemd[1]: bar.service: main process exited,
> code=exited, status=1/FAILURE
> Jun 04 11:30:53 kirNote systemd[1]: Failed to start test.
> Jun 04 11:30:53 kirNote systemd[1]: Unit bar.service entered failed state.
> ~~~~~~~~~~~~~~~~
>
>
>
> --
> Кирилл Елагин
>
>
> On Wed, Jun 4, 2014 at 11:29 AM, Kirill Elagin <kirelagin at gmail.com>
> wrote:
>
> > Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two
> > space-separated strings: a device node path (such as /dev/null) followed
> by
> > a combination of r, w, m”.
> >
> > But that's not the main issue here. The main issue here is that
> > devices.allow and devices.deny control access to _devices_.
> > Your own user doesn't have write access to `/dev/sda`, but, somehow, you
> > still can create files in your home directory, right? That's because file
> > creation (and actually all the filessytem access) is done through kernel
> > interfaces, not by reading/writing devices nodes directly (that would be
> > kind insecure, right?).
> >
> > I can't come up with a proper solution to limit FS access if your process
> > will be running as root.
> >
> >
> > --
> > Кирилл Елагин
> >
> >
> > On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagrawa at redhat.com>
> > wrote:
> >
> >> Hi Kirill,
> >>
> >>
> >> Thanks for your valuable reply.As per man page DeviceAllow(Use to
> control
> >> access to specific device nodes by the executed process,This also
> controls
> >> the devices.allow and devices.deny both My query is how it is controls
> the
> >> device.deny),I am assuming after update DevicePolicy to strict means
> only
> >> process can be used allowed type of devices no other devices but after
> add
> >> the DevicePolicy also it is trying to create the file on /root/file_1.
> >>
> >> DeviceAllow=
> >>            Control access to specific device nodes by the executed
> >>            processes. Takes two space-separated strings: a device node
> >> path
> >>            (such as /dev/null) followed by a combination of r, w, m to
> >>            control reading, writing, or creation of the specific device
> >> node
> >>            by the unit (mknod), respectively. This controls the
> >>            "devices.allow" and "devices.deny" control group attributes.
> >> For
> >>            details about these control group attributes, see
> >> devices.txt[4].
> >>
> >>        DevicePolicy=auto|closed|strict
> >>            Control the policy for allowing device access:
> >>
> >>            strict
> >>                means to only allow types of access that are explicitly
> >>                specified.
> >>
> >> [Unit]
> >> Description=mydevblock
> >> [Service]
> >> DeviceAllow=/dev/zero
> >> DevicePolicy=strict
> >> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400
> >> Restart=always
> >> [Install]
> >> WantedBy=multi-user.target
> >>
> >> I believe it should restrict to create the file .
> >>
> >>
> >> Regards
> >> Mohit Agrawal
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "Kirill Elagin" <kirelagin at gmail.com>
> >> To: "Mohit Agrawal" <moagrawa at redhat.com>
> >> Cc: "systemd Mailing List" <systemd-devel at lists.freedesktop.org>
> >> Sent: Wednesday, June 4, 2014 12:17:46 PM
> >> Subject: Re: [systemd-devel] How to Restrict device in systemd?
> >>
> >> First of all, according to docs, `DeviceAllow` syntax is somewhat
> >> different
> >> from what you have.
> >> Second, you might want to check `DevicePolicy`, as now your unit has
> >> access
> >> not only to `/dev/zero`, but also to four other devices.
> >>
> >> And hm, I thought, those directives control access to device nodes. Why
> >> are
> >> you expecting them to limit access to the filesystem?
> >>
> >>
> >> --
> >> Кирилл Елагин
> >>
> >>
> >> On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagrawa at redhat.com>
> >> wrote:
> >>
> >> > Hi,
> >> >
> >> > I want to block the device through the systemd cgroup so I have
> created
> >> a
> >> > below unit file
> >> >
> >> > [Unit]
> >> > Description=mydevblock
> >> > [Service]
> >> > DeviceAllow=/dev/zero
> >> > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40
> >> > Restart=always
> >> > [Install]
> >> > WantedBy=multi-user.target
> >> >
> >> >
> >> > As per my understanding in this unit file I have allowed only
> /dev/zero
> >> > device so dd command should not create the file_1 successfully it
> should
> >> > give the error .
> >> >
> >> > systemctl start mydevblock.service
> >> >
> >> > Below is the status after start the service and file_1 is successfully
> >> > created
> >> >
> >> > [host-name ~]# systemctl status mydevblock.service
> >> > ● mydev.service - mydevblock
> >> >    Loaded: loaded (/etc/systemd/system/mydev.service; disabled)
> >> >    Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24
> >> IST;
> >> > 831ms ago
> >> >   Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1
> >> bs=1M
> >> > count=40 (code=exited, status=0/SUCCESS)
> >> >  Main PID: 27800 (code=exited, status=0/SUCCESS)
> >> >
> >> > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time
> over,
> >> > scheduling restart.
> >> > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...
> >> > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...
> >> > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request
> >> > repeated too quickly, refusing to start.
> >> > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.
> >> > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered
> >> failed
> >> > state.
> >> >
> >> > [host-name> ~]# ls -lrt
> >> > -rw-r--r--. 1 root root 41943040 Jun  4 11:32 file_1
> >> >
> >> >
> >> > Can someone reply why file_1 is created successfully?
> >> > Do anyone have idea how can i put the restriction on device?
> >> > Appreciate your inputs on this.
> >> >
> >> >
> >> > Regards
> >> > Mohit Agrawal
> >> > _______________________________________________
> >> > systemd-devel mailing list
> >> > systemd-devel at lists.freedesktop.org
> >> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> >> >
> >>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140611/44157e40/attachment-0001.html>

More information about the systemd-devel mailing list