<div dir="ltr">Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two space-separated strings: a device node path (such as /dev/null) followed by a combination of r, w, m”.<br><br>But that's not the main issue here. The main issue here is that devices.allow and devices.deny control access to _devices_.<br>
Your own user doesn't have write access to `/dev/sda`, but, somehow, you still can create files in your home directory, right? That's because file creation (and actually all the filessytem access) is done through kernel interfaces, not by reading/writing devices nodes directly (that would be kind insecure, right?).<br>
<br>I can't come up with a proper solution to limit FS access if your process will be running as root.<br></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br></div>--<br>Кирилл Елагин</div></div>
<br><br><div class="gmail_quote">On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <span dir="ltr"><<a href="mailto:moagrawa@redhat.com" target="_blank">moagrawa@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Kirill,<br>
<br>
<br>
Thanks for your valuable reply.As per man page DeviceAllow(Use to control access to specific device nodes by the executed process,This also controls the devices.allow and devices.deny both My query is how it is controls the device.deny),I am assuming after update DevicePolicy to strict means only process can be used allowed type of devices no other devices but after add the DevicePolicy also it is trying to create the file on /root/file_1.<br>
<br>
DeviceAllow=<br>
Control access to specific device nodes by the executed<br>
processes. Takes two space-separated strings: a device node path<br>
(such as /dev/null) followed by a combination of r, w, m to<br>
control reading, writing, or creation of the specific device node<br>
by the unit (mknod), respectively. This controls the<br>
"devices.allow" and "devices.deny" control group attributes. For<br>
details about these control group attributes, see devices.txt[4].<br>
<br>
DevicePolicy=auto|closed|strict<br>
Control the policy for allowing device access:<br>
<br>
strict<br>
means to only allow types of access that are explicitly<br>
specified.<br>
<br>
[Unit]<br>
Description=mydevblock<br>
[Service]<br>
DeviceAllow=/dev/zero<br>
DevicePolicy=strict<br>
ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400<br>
Restart=always<br>
[Install]<br>
WantedBy=multi-user.target<br>
<br>
I believe it should restrict to create the file .<br>
<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Mohit Agrawal<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
----- Original Message -----<br>
From: "Kirill Elagin" <<a href="mailto:kirelagin@gmail.com">kirelagin@gmail.com</a>><br>
To: "Mohit Agrawal" <<a href="mailto:moagrawa@redhat.com">moagrawa@redhat.com</a>><br>
Cc: "systemd Mailing List" <<a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a>><br>
Sent: Wednesday, June 4, 2014 12:17:46 PM<br>
Subject: Re: [systemd-devel] How to Restrict device in systemd?<br>
<br>
First of all, according to docs, `DeviceAllow` syntax is somewhat different<br>
from what you have.<br>
Second, you might want to check `DevicePolicy`, as now your unit has access<br>
not only to `/dev/zero`, but also to four other devices.<br>
<br>
And hm, I thought, those directives control access to device nodes. Why are<br>
you expecting them to limit access to the filesystem?<br>
<br>
<br>
--<br>
Кирилл Елагин<br>
<br>
<br>
On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <<a href="mailto:moagrawa@redhat.com">moagrawa@redhat.com</a>> wrote:<br>
<br>
> Hi,<br>
><br>
> I want to block the device through the systemd cgroup so I have created a<br>
> below unit file<br>
><br>
> [Unit]<br>
> Description=mydevblock<br>
> [Service]<br>
> DeviceAllow=/dev/zero<br>
> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40<br>
> Restart=always<br>
> [Install]<br>
> WantedBy=multi-user.target<br>
><br>
><br>
> As per my understanding in this unit file I have allowed only /dev/zero<br>
> device so dd command should not create the file_1 successfully it should<br>
> give the error .<br>
><br>
> systemctl start mydevblock.service<br>
><br>
> Below is the status after start the service and file_1 is successfully<br>
> created<br>
><br>
> [host-name ~]# systemctl status mydevblock.service<br>
> ● mydev.service - mydevblock<br>
> Loaded: loaded (/etc/systemd/system/mydev.service; disabled)<br>
> Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 IST;<br>
> 831ms ago<br>
> Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M<br>
> count=40 (code=exited, status=0/SUCCESS)<br>
> Main PID: 27800 (code=exited, status=0/SUCCESS)<br>
><br>
> Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over,<br>
> scheduling restart.<br>
> Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...<br>
> Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...<br>
> Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request<br>
> repeated too quickly, refusing to start.<br>
> Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.<br>
> Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed<br>
> state.<br>
><br>
> [host-name> ~]# ls -lrt<br>
> -rw-r--r--. 1 root root 41943040 Jun 4 11:32 file_1<br>
><br>
><br>
> Can someone reply why file_1 is created successfully?<br>
> Do anyone have idea how can i put the restriction on device?<br>
> Appreciate your inputs on this.<br>
><br>
><br>
> Regards<br>
> Mohit Agrawal<br>
> _______________________________________________<br>
> systemd-devel mailing list<br>
> <a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a><br>
><br>
</div></div></blockquote></div><br></div>