From: Zbigniew Jędrzejewski-Szmek Date: Wed, 8 Sep 2021 13:46:17 +0000 (+0200) Subject: man: cross-reference DeviceAllow= and PrivateDevices= X-Git-Tag: v250-rc1~618^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a14e028e869739021482c86ef3aeb861b0342dd4;p=thirdparty%2Fsystemd.git man: cross-reference DeviceAllow= and PrivateDevices= They are somewhat similar, but not easy to discover, esp. considering that they are described in different pages. For PrivateDevices=, split out the first paragraph that gives the high-level overview. (The giant second paragraph could also use some heavy editing to break it up into more digestible chunks, alas.) --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index eadfc024213..ddcd0f1c257 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd PrivateDevices= - Takes a boolean argument. If true, sets up a new /dev/ mount for the - executed processes and only adds API pseudo devices such as /dev/null, - /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, - but no physical devices such as /dev/sda, system memory /dev/mem, - system ports /dev/port and others. This is useful to securely turn off physical device - access by the executed process. Defaults to false. Enabling this option will install a system call filter to - block low-level I/O system calls that are grouped in the @raw-io set, will also remove - CAP_MKNOD and CAP_SYS_RAWIO from the capability bounding set for the - unit (see above), and set DevicePolicy=closed (see + Takes a boolean argument. If true, sets up a new /dev/ mount for + the executed processes and only adds API pseudo devices such as /dev/null, + /dev/zero or /dev/random (as well as the pseudo TTY + subsystem) to it, but no physical devices such as /dev/sda, system memory + /dev/mem, system ports /dev/port and others. This is useful + to turn off physical device access by the executed process. Defaults to false. + + Enabling this option will install a system call filter to block low-level I/O system calls that + are grouped in the @raw-io set, remove CAP_MKNOD and + CAP_SYS_RAWIO from the capability bounding set for the unit, and set + DevicePolicy=closed (see systemd.resource-control5 - for details). Note that using this setting will disconnect propagation of mounts from the service to the host - (propagation in the opposite direction continues to work). This means that this setting may not be used for - services which shall be able to install mount points in the main mount namespace. The new - /dev/ will be mounted read-only and 'noexec'. The latter may break old programs which try - to set up executable memory by using + for details). Note that using this setting will disconnect propagation of mounts from the service to + the host (propagation in the opposite direction continues to work). This means that this setting may + not be used for services which shall be able to install mount points in the main mount namespace. The + new /dev/ will be mounted read-only and 'noexec'. The latter may break old + programs which try to set up executable memory by using mmap2 of - /dev/zero instead of using MAP_ANON. For this setting the same - restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and - related calls, see above. If turned on and if running in user mode, or in system mode, but without the - CAP_SYS_ADMIN capability (e.g. setting User=), - NoNewPrivileges=yes is implied. + /dev/zero instead of using MAP_ANON. For this setting the + same restrictions regarding mount propagation and privileges apply as for + ReadOnlyPaths= and related calls, see above. If turned on and if running in user + mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting + User=), NoNewPrivileges=yes is implied. - Note that the implementation of this setting might be impossible (for example if mount namespaces are not - available), and the unit should be written in a way that does not solely rely on this setting for - security. + Note that the implementation of this setting might be impossible (for example if mount + namespaces are not available), and the unit should be written in a way that does not solely rely on + this setting for security. - + + + When access to some but not all devices must be possible, the DeviceAllow= + setting might be used instead. See + systemd.resource-control5. + diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index ea728dff338..b21f8575a03 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1 url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller. In the unified cgroup hierarchy this functionality is implemented using eBPF filtering. + When access to all physical devices should be disallowed, + PrivateDevices= may be used instead. See + systemd.exec5. + + The device node specifier is either a path to a device node in the file system, starting with /dev/, or a string starting with either char- or block- followed by a device group name, as listed in