Am 21.08.2018 um 09:57 schrieb Umut Tezduyar Lindskog: > I am turning on PrivateDevices and as a result getting a minimal /dev > tree for my service. Then I would like to add some selected devices > with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't > see the device /dev/cam0 in the /dev tree and since the mount space is > RO, I cannot create the device node either. However, the device cgroup > has the right permissions the whole point of "DevicePolicy" is to be more specific than PrivateDevices, sample below is the caching disk for Apache Trafficerver anmd when you read the docs this is "PrivateDevices + /dev/sdc" cat /etc/systemd/system/trafficserver.service.d/security-devices.conf [Service] DevicePolicy=closed DeviceAllow=/dev/sdc rw i really don't see how it would make sense use *both* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html DevicePolicy=auto|closed|strict closed in addition, allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
PrivateDevices= together with DevicePolicy=
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: PrivateDevices= together with DevicePolicy=
- From: h.reindl@xxxxxxxxxxxxx (Reindl Harald)
- Date: Tue, 21 Aug 2018 10:43:16 +0200
- In-reply-to: <CAFKnvs54chS=p3UbiXp=0NYJM3iBzgcrTntnpUByEdyanFbMkw@mail.gmail.com>
- References: <CAFKnvs54chS=p3UbiXp=0NYJM3iBzgcrTntnpUByEdyanFbMkw@mail.gmail.com>
- References:
- PrivateDevices= together with DevicePolicy=
- From: Umut Tezduyar Lindskog
- PrivateDevices= together with DevicePolicy=
- Prev by Date: PrivateDevices= together with DevicePolicy=
- Next by Date: Returning a struct from an sd-bus method
- Previous by thread: PrivateDevices= together with DevicePolicy=
- Next by thread: Re: PrivateDevices= together with DevicePolicy=
- Index(es):
 |