[systemd-devel] How to Restrict device in systemd?

Kirill Elagin kirelagin at gmail.com
Wed Jun 4 00:29:06 PDT 2014 

Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two
space-separated strings: a device node path (such as /dev/null) followed by
a combination of r, w, m”.

But that's not the main issue here. The main issue here is that
devices.allow and devices.deny control access to _devices_.
Your own user doesn't have write access to `/dev/sda`, but, somehow, you
still can create files in your home directory, right? That's because file
creation (and actually all the filessytem access) is done through kernel
interfaces, not by reading/writing devices nodes directly (that would be
kind insecure, right?).

I can't come up with a proper solution to limit FS access if your process
will be running as root.


--
Кирилл Елагин


On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagrawa at redhat.com> wrote:

> Hi Kirill,
>
>
> Thanks for your valuable reply.As per man page DeviceAllow(Use to control
> access to specific device nodes by the executed process,This also controls
> the devices.allow and devices.deny both My query is how it is controls the
> device.deny),I am assuming after update DevicePolicy to strict means only
> process can be used allowed type of devices no other devices but after add
> the DevicePolicy also it is trying to create the file on /root/file_1.
>
> DeviceAllow=
>            Control access to specific device nodes by the executed
>            processes. Takes two space-separated strings: a device node path
>            (such as /dev/null) followed by a combination of r, w, m to
>            control reading, writing, or creation of the specific device
> node
>            by the unit (mknod), respectively. This controls the
>            "devices.allow" and "devices.deny" control group attributes. For
>            details about these control group attributes, see
> devices.txt[4].
>
>        DevicePolicy=auto|closed|strict
>            Control the policy for allowing device access:
>
>            strict
>                means to only allow types of access that are explicitly
>                specified.
>
> [Unit]
> Description=mydevblock
> [Service]
> DeviceAllow=/dev/zero
> DevicePolicy=strict
> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400
> Restart=always
> [Install]
> WantedBy=multi-user.target
>
> I believe it should restrict to create the file .
>
>
> Regards
> Mohit Agrawal
>
>
>
> ----- Original Message -----
> From: "Kirill Elagin" <kirelagin at gmail.com>
> To: "Mohit Agrawal" <moagrawa at redhat.com>
> Cc: "systemd Mailing List" <systemd-devel at lists.freedesktop.org>
> Sent: Wednesday, June 4, 2014 12:17:46 PM
> Subject: Re: [systemd-devel] How to Restrict device in systemd?
>
> First of all, according to docs, `DeviceAllow` syntax is somewhat different
> from what you have.
> Second, you might want to check `DevicePolicy`, as now your unit has access
> not only to `/dev/zero`, but also to four other devices.
>
> And hm, I thought, those directives control access to device nodes. Why are
> you expecting them to limit access to the filesystem?
>
>
> --
> Кирилл Елагин
>
>
> On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagrawa at redhat.com>
> wrote:
>
> > Hi,
> >
> > I want to block the device through the systemd cgroup so I have created a
> > below unit file
> >
> > [Unit]
> > Description=mydevblock
> > [Service]
> > DeviceAllow=/dev/zero
> > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40
> > Restart=always
> > [Install]
> > WantedBy=multi-user.target
> >
> >
> > As per my understanding in this unit file I have allowed only /dev/zero
> > device so dd command should not create the file_1 successfully it should
> > give the error .
> >
> > systemctl start mydevblock.service
> >
> > Below is the status after start the service and file_1 is successfully
> > created
> >
> > [host-name ~]# systemctl status mydevblock.service
> > ● mydev.service - mydevblock
> >    Loaded: loaded (/etc/systemd/system/mydev.service; disabled)
> >    Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24
> IST;
> > 831ms ago
> >   Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M
> > count=40 (code=exited, status=0/SUCCESS)
> >  Main PID: 27800 (code=exited, status=0/SUCCESS)
> >
> > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over,
> > scheduling restart.
> > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...
> > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...
> > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request
> > repeated too quickly, refusing to start.
> > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.
> > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed
> > state.
> >
> > [host-name> ~]# ls -lrt
> > -rw-r--r--. 1 root root 41943040 Jun  4 11:32 file_1
> >
> >
> > Can someone reply why file_1 is created successfully?
> > Do anyone have idea how can i put the restriction on device?
> > Appreciate your inputs on this.
> >
> >
> > Regards
> > Mohit Agrawal
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140604/dc94da33/attachment.html>

More information about the systemd-devel mailing list