[systemd-devel] How to Restrict device in systemd?

Kirill Elagin kirelagin at gmail.com
Tue Jun 3 23:47:46 PDT 2014 

First of all, according to docs, `DeviceAllow` syntax is somewhat different
from what you have.
Second, you might want to check `DevicePolicy`, as now your unit has access
not only to `/dev/zero`, but also to four other devices.

And hm, I thought, those directives control access to device nodes. Why are
you expecting them to limit access to the filesystem?


--
Кирилл Елагин


On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagrawa at redhat.com> wrote:

> Hi,
>
> I want to block the device through the systemd cgroup so I have created a
> below unit file
>
> [Unit]
> Description=mydevblock
> [Service]
> DeviceAllow=/dev/zero
> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40
> Restart=always
> [Install]
> WantedBy=multi-user.target
>
>
> As per my understanding in this unit file I have allowed only /dev/zero
> device so dd command should not create the file_1 successfully it should
> give the error .
>
> systemctl start mydevblock.service
>
> Below is the status after start the service and file_1 is successfully
> created
>
> [host-name ~]# systemctl status mydevblock.service
> ● mydev.service - mydevblock
>    Loaded: loaded (/etc/systemd/system/mydev.service; disabled)
>    Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 IST;
> 831ms ago
>   Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M
> count=40 (code=exited, status=0/SUCCESS)
>  Main PID: 27800 (code=exited, status=0/SUCCESS)
>
> Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over,
> scheduling restart.
> Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...
> Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...
> Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request
> repeated too quickly, refusing to start.
> Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.
> Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed
> state.
>
> [host-name> ~]# ls -lrt
> -rw-r--r--. 1 root root 41943040 Jun  4 11:32 file_1
>
>
> Can someone reply why file_1 is created successfully?
> Do anyone have idea how can i put the restriction on device?
> Appreciate your inputs on this.
>
>
> Regards
> Mohit Agrawal
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140604/6e8464c2/attachment-0001.html>

More information about the systemd-devel mailing list