[systemd-devel] How to Restrict device in systemd?

Kirill Elagin kirelagin at gmail.com
Wed Jun 4 00:33:47 PDT 2014


Here is a proof that this kind of limiting for devices actually works. This
service is trying to read the first byte of `/dev/sda1` but is allowed to
access `/dev/zero` only:

~~~~~~~
[Unit]
Description=test
[Service]
Type=oneshot
ExecStart=/bin/head /dev/sda1 -c 1
DeviceAllow=/dev/zero r
DevicePolicy=strict
~~~~~~~~~~

~~~~~~~~~
# systemctl start bar.service
Job for bar.service failed. See 'systemctl status bar.service' and
'journalctl -xn' for details.

# systemctl status bar.service
<...>
Jun 04 11:30:53 kirNote head[26237]: /bin/head: cannot open ‘/dev/sda1’ for
reading: Operation not permitted
Jun 04 11:30:53 kirNote systemd[1]: bar.service: main process exited,
code=exited, status=1/FAILURE
Jun 04 11:30:53 kirNote systemd[1]: Failed to start test.
Jun 04 11:30:53 kirNote systemd[1]: Unit bar.service entered failed state.
~~~~~~~~~~~~~~~~



--
Кирилл Елагин


On Wed, Jun 4, 2014 at 11:29 AM, Kirill Elagin <kirelagin at gmail.com> wrote:

> Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two
> space-separated strings: a device node path (such as /dev/null) followed by
> a combination of r, w, m”.
>
> But that's not the main issue here. The main issue here is that
> devices.allow and devices.deny control access to _devices_.
> Your own user doesn't have write access to `/dev/sda`, but, somehow, you
> still can create files in your home directory, right? That's because file
> creation (and actually all the filessytem access) is done through kernel
> interfaces, not by reading/writing devices nodes directly (that would be
> kind insecure, right?).
>
> I can't come up with a proper solution to limit FS access if your process
> will be running as root.
>
>
> --
> Кирилл Елагин
>
>
> On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagrawa at redhat.com>
> wrote:
>
>> Hi Kirill,
>>
>>
>> Thanks for your valuable reply.As per man page DeviceAllow(Use to control
>> access to specific device nodes by the executed process,This also controls
>> the devices.allow and devices.deny both My query is how it is controls the
>> device.deny),I am assuming after update DevicePolicy to strict means only
>> process can be used allowed type of devices no other devices but after add
>> the DevicePolicy also it is trying to create the file on /root/file_1.
>>
>> DeviceAllow=
>>            Control access to specific device nodes by the executed
>>            processes. Takes two space-separated strings: a device node
>> path
>>            (such as /dev/null) followed by a combination of r, w, m to
>>            control reading, writing, or creation of the specific device
>> node
>>            by the unit (mknod), respectively. This controls the
>>            "devices.allow" and "devices.deny" control group attributes.
>> For
>>            details about these control group attributes, see
>> devices.txt[4].
>>
>>        DevicePolicy=auto|closed|strict
>>            Control the policy for allowing device access:
>>
>>            strict
>>                means to only allow types of access that are explicitly
>>                specified.
>>
>> [Unit]
>> Description=mydevblock
>> [Service]
>> DeviceAllow=/dev/zero
>> DevicePolicy=strict
>> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400
>> Restart=always
>> [Install]
>> WantedBy=multi-user.target
>>
>> I believe it should restrict to create the file .
>>
>>
>> Regards
>> Mohit Agrawal
>>
>>
>>
>> ----- Original Message -----
>> From: "Kirill Elagin" <kirelagin at gmail.com>
>> To: "Mohit Agrawal" <moagrawa at redhat.com>
>> Cc: "systemd Mailing List" <systemd-devel at lists.freedesktop.org>
>> Sent: Wednesday, June 4, 2014 12:17:46 PM
>> Subject: Re: [systemd-devel] How to Restrict device in systemd?
>>
>> First of all, according to docs, `DeviceAllow` syntax is somewhat
>> different
>> from what you have.
>> Second, you might want to check `DevicePolicy`, as now your unit has
>> access
>> not only to `/dev/zero`, but also to four other devices.
>>
>> And hm, I thought, those directives control access to device nodes. Why
>> are
>> you expecting them to limit access to the filesystem?
>>
>>
>> --
>> Кирилл Елагин
>>
>>
>> On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagrawa at redhat.com>
>> wrote:
>>
>> > Hi,
>> >
>> > I want to block the device through the systemd cgroup so I have created
>> a
>> > below unit file
>> >
>> > [Unit]
>> > Description=mydevblock
>> > [Service]
>> > DeviceAllow=/dev/zero
>> > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40
>> > Restart=always
>> > [Install]
>> > WantedBy=multi-user.target
>> >
>> >
>> > As per my understanding in this unit file I have allowed only /dev/zero
>> > device so dd command should not create the file_1 successfully it should
>> > give the error .
>> >
>> > systemctl start mydevblock.service
>> >
>> > Below is the status after start the service and file_1 is successfully
>> > created
>> >
>> > [host-name ~]# systemctl status mydevblock.service
>> > ● mydev.service - mydevblock
>> >    Loaded: loaded (/etc/systemd/system/mydev.service; disabled)
>> >    Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24
>> IST;
>> > 831ms ago
>> >   Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1
>> bs=1M
>> > count=40 (code=exited, status=0/SUCCESS)
>> >  Main PID: 27800 (code=exited, status=0/SUCCESS)
>> >
>> > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over,
>> > scheduling restart.
>> > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock...
>> > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock...
>> > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request
>> > repeated too quickly, refusing to start.
>> > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock.
>> > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered
>> failed
>> > state.
>> >
>> > [host-name> ~]# ls -lrt
>> > -rw-r--r--. 1 root root 41943040 Jun  4 11:32 file_1
>> >
>> >
>> > Can someone reply why file_1 is created successfully?
>> > Do anyone have idea how can i put the restriction on device?
>> > Appreciate your inputs on this.
>> >
>> >
>> > Regards
>> > Mohit Agrawal
>> > _______________________________________________
>> > systemd-devel mailing list
>> > systemd-devel at lists.freedesktop.org
>> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140604/8558efad/attachment-0001.html>


More information about the systemd-devel mailing list