[systemd-devel] DeviceAllow

Lennart Poettering lennart at poettering.net
Tue Dec 18 08:52:13 PST 2012


On Mon, 17.12.12 16:50, Juan Orti Alcaine (j.orti.alcaine at gmail.com) wrote:

> Hello,
> 
> I'm testing some of the security measures described in this post [1], and I'm 
> having problems with the DeviceAllow directive.
> 
> If I get it right, if I allow one access, all the remaining devices are 
> disallowed. But my tests show otherwise. The man page doesn't talk about this 
> behavior.
> 
> Have I hit a bug, or does it work as intended?

Note that DeviceAllow= and DeviceDeny= is a pretty straight-forward
interface for the devices.allow and devices.deny cgroup attribute.

Please have a look on
http://www.kernel.org/doc/Documentation/cgroups/devices.txt how to use
those.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list