[systemd-devel] PrivateDevices with more than basic set of devices?

Topi Miettinen toiwoton at gmail.com
Tue Jan 27 10:51:17 PST 2015


On 01/26/15 21:04, Lennart Poettering wrote:
> On Mon, 26.01.15 17:07, Topi Miettinen (toiwoton at gmail.com) wrote:
> 
>> On 01/26/15 12:41, Simon McVittie wrote:
>>> On 24/01/15 10:09, Topi Miettinen wrote:
>>>> For example, smartd only needs access to /dev/sd*.
>>>
>>> Let me spell that differently: smartd "only" needs the ability to make
>>> arbitrary filesystem changes, defeating any possible configurable
>>> security mechanism.
>>
>> Not exactly: it only needs read access. Depending on the system, that
>> could be very different from being able to make arbitrary filesystem
>> changes.
> 
> Sending SMART requests requires the same priviliges as issue direct
> low-level write requests to my knowledge, hence I'd say simon is right.

CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
DevicePolicy=closed
DeviceAllow=block-sd r
DeviceAllow=/dev/sda r
DeviceAllow=/dev/sdb r
works fine here.

Probably CAP_SYS_RAWIO can be used to circumvent the lack of write
access, though.

-Topi

> 
> Lennart
> 



More information about the systemd-devel mailing list