[systemd-devel] PrivateDevices with more than basic set of devices?
Lennart Poettering
lennart at poettering.net
Tue Jan 27 13:40:45 PST 2015
On Tue, 27.01.15 21:38, Topi Miettinen (toiwoton at gmail.com) wrote:
> >> CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
> >> DevicePolicy=closed
> >> DeviceAllow=block-sd r
> >> DeviceAllow=/dev/sda r
> >> DeviceAllow=/dev/sdb r
> >> works fine here.
> >
> > You should be able to reduce this to simply:
> >
> > DeviceAllow=block-sd r
> >
> > This should suffic since DevicePolicy=closed is implied if there's at
> > least one DeviceAllow= specified. And "DeviceAllow=block-sd r" enables
> > access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
> > of course.
>
> In general yes, but I didn't want to allow SMART requests to /dev/sdc,
> it's a DVD-ROM drive and there are useless errors if accessed with
> SMART.
Well, don't you just get a different error then?
That said, if this is really what you want, then you should really
remove the "DeviceAllow=block-sd r" line, since that opens up access
to /dev/sdc, too...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list