[systemd-devel] PrivateDevices= together with DevicePolicy=
Umut Tezduyar Lindskog
umut at tezduyar.com
Tue Aug 21 07:57:49 UTC 2018
Hi,
I am turning on PrivateDevices and as a result getting a minimal /dev
tree for my service. Then I would like to add some selected devices
with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
see the device /dev/cam0 in the /dev tree and since the mount space is
RO, I cannot create the device node either. However, the device cgroup
has the right permissions.
Could you please explain if this is the expected behaviour?
systemd 239
-PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT -UTMP
-LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS
+KMOD -IDN2 -IDN -PCRE2 default-hierarchy=legacy
cat a.service
[Service]
PrivateDevices=yes
DevicePolicy=auto
DeviceAllow=/dev/cam0
ExecStart=/bin/sh -c "ls -al /dev && cat
/sys/fs/cgroup/devices/system.slice/a.service/devices.list"
Aug 21 06:17:32 axis-acccxxxxxxxx systemd[1]: Started a.service.
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x 6 root
root 380 Aug 21 06:17 .
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x 15 root
root 1520 Aug 20 14:06 ..
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 11 Aug 21 06:17 core -> /proc/kcore
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 13 Aug 21 06:17 fd -> /proc/self/fd
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 1, 7 Aug 21 06:17 full
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x 2 root
root 40 Aug 21 06:17 hugepages
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 28 Aug 21 06:17 log -> /run/systemd/journal/dev-log
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x 2 root
root 40 Aug 21 06:17 mqueue
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 1, 3 Aug 21 06:17 null
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 5, 2 Aug 21 06:17 ptmx
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x 2 root
root 0 Aug 21 06:12 pts
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 1, 8 Aug 21 06:17 random
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxrwxrwt 2 root
root 100 Aug 21 06:13 shm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 15 Aug 21 06:17 stderr -> /proc/self/fd/2
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 15 Aug 21 06:17 stdin -> /proc/self/fd/0
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx 1 root
root 15 Aug 21 06:17 stdout -> /proc/self/fd/1
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 5, 0 Aug 21 06:17 tty
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 1, 9 Aug 21 06:17 urandom
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw- 1 root
root 1, 5 Aug 21 06:17 zero
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:3 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:5 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:7 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:8 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:9 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 5:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 5:2 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 0:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: b 0:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 136:* rw
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 61:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx systemd[1]: a.service: Consumed 64ms CPU time
root at axis-acccxxxxxxxx:/etc/systemd/system# ls -al /dev | grep cam0
crw-rw-rw- 1 root video 61, 0 Aug 20 13:52 cam0
Umut
More information about the systemd-devel
mailing list