[systemd-devel] PrivateDevices= together with DevicePolicy=
Reindl Harald
h.reindl at thelounge.net
Tue Aug 21 08:43:16 UTC 2018
Am 21.08.2018 um 09:57 schrieb Umut Tezduyar Lindskog:
> I am turning on PrivateDevices and as a result getting a minimal /dev
> tree for my service. Then I would like to add some selected devices
> with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
> see the device /dev/cam0 in the /dev tree and since the mount space is
> RO, I cannot create the device node either. However, the device cgroup
> has the right permissions
the whole point of "DevicePolicy" is to be more specific than
PrivateDevices, sample below is the caching disk for Apache Trafficerver
anmd when you read the docs this is "PrivateDevices + /dev/sdc"
cat /etc/systemd/system/trafficserver.service.d/security-devices.conf
[Service]
DevicePolicy=closed
DeviceAllow=/dev/sdc rw
i really don't see how it would make sense use *both*
https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
DevicePolicy=auto|closed|strict
closed in addition, allows access to standard pseudo devices including
/dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
More information about the systemd-devel
mailing list