[systemd-devel] PrivateDevices with more than basic set of devices?
Topi Miettinen
toiwoton at gmail.com
Tue Jan 27 14:01:28 PST 2015
On 01/27/15 21:40, Lennart Poettering wrote:
> On Tue, 27.01.15 21:38, Topi Miettinen (toiwoton at gmail.com) wrote:
>
>>>> CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
>>>> DevicePolicy=closed
>>>> DeviceAllow=block-sd r
>>>> DeviceAllow=/dev/sda r
>>>> DeviceAllow=/dev/sdb r
>>>> works fine here.
>>>
>>> You should be able to reduce this to simply:
>>>
>>> DeviceAllow=block-sd r
>>>
>>> This should suffic since DevicePolicy=closed is implied if there's at
>>> least one DeviceAllow= specified. And "DeviceAllow=block-sd r" enables
>>> access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
>>> of course.
>>
>> In general yes, but I didn't want to allow SMART requests to /dev/sdc,
>> it's a DVD-ROM drive and there are useless errors if accessed with
>> SMART.
>
> Well, don't you just get a different error then?
Embarrassingly it looks like I actually fixed the error by editing
smartd.conf and not with the unit file...
-Topi
>
> That said, if this is really what you want, then you should really
> remove the "DeviceAllow=block-sd r" line, since that opens up access
> to /dev/sdc, too...
>
> Lennart
>
More information about the systemd-devel
mailing list