PrivateDevices= together with DevicePolicy=

umut@xxxxxxxxxxxx (Umut Tezduyar Lindskog) · Tue, 21 Aug 2018 09:57:49 +0200

Hi,

I am turning on PrivateDevices and as a result getting a minimal /dev
tree for my service. Then I would like to add some selected devices
with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
see the device /dev/cam0 in the /dev tree and since the mount space is
RO, I cannot create the device node either. However, the device cgroup
has the right permissions.

Could you please explain if this is the expected behaviour?

systemd 239

-PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT -UTMP
-LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS
+KMOD -IDN2 -IDN -PCRE2 default-hierarchy=legacy

cat a.service
[Service]
PrivateDevices=yes
DevicePolicy=auto
DeviceAllow=/dev/cam0
ExecStart=/bin/sh -c "ls -al /dev && cat
/sys/fs/cgroup/devices/system.slice/a.service/devices.list"

Aug 21 06:17:32 axis-acccxxxxxxxx systemd[1]: Started a.service.
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x    6 root
root           380 Aug 21 06:17 .
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x   15 root
root          1520 Aug 20 14:06 ..
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            11 Aug 21 06:17 core -> /proc/kcore
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            13 Aug 21 06:17 fd -> /proc/self/fd
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        1,   7 Aug 21 06:17 full
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x    2 root
root            40 Aug 21 06:17 hugepages
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            28 Aug 21 06:17 log -> /run/systemd/journal/dev-log
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x    2 root
root            40 Aug 21 06:17 mqueue
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        1,   3 Aug 21 06:17 null
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        5,   2 Aug 21 06:17 ptmx
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxr-xr-x    2 root
root             0 Aug 21 06:12 pts
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        1,   8 Aug 21 06:17 random
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: drwxrwxrwt    2 root
root           100 Aug 21 06:13 shm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            15 Aug 21 06:17 stderr -> /proc/self/fd/2
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            15 Aug 21 06:17 stdin -> /proc/self/fd/0
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: lrwxrwxrwx    1 root
root            15 Aug 21 06:17 stdout -> /proc/self/fd/1
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        5,   0 Aug 21 06:17 tty
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        1,   9 Aug 21 06:17 urandom
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: crw-rw-rw-    1 root
root        1,   5 Aug 21 06:17 zero
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:3 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:5 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:7 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:8 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 1:9 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 5:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 5:2 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 0:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: b 0:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 136:* rw
Aug 21 06:17:32 axis-acccxxxxxxxx sh[5340]: c 61:0 rwm
Aug 21 06:17:32 axis-acccxxxxxxxx systemd[1]: a.service: Consumed 64ms CPU time

root at axis-acccxxxxxxxx:/etc/systemd/system# ls -al /dev | grep cam0
crw-rw-rw-    1 root     video      61,   0 Aug 20 13:52 cam0

Umut