From 00d85bbb608a0a9b098b606dddb499e868c2dc1e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 23 Jul 2019 13:28:44 +0200
Subject: [PATCH] man: document the modprobe hack for DeviceAllow=

---
 man/systemd.resource-control.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index e7b5dfbce67..1b5ac3e8e45 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -686,6 +686,18 @@
           TTYs and all ALSA sound devices,
           respectively. <literal>char-cpu/*</literal> is a specifier
           matching all CPU related device groups.</para>
+
+          <para>Note that whitelists defined this way should only reference device groups which are
+          resolvable at the time the unit is started. Any device groups not resolvable then are not added to
+          the device whitelist. In order to work around this limitation, consider extending service units
+          with an <command>ExecStartPre=/sbin/modprobeâ¦</command> line that loads the necessary
+          kernel module implementing the device group if missing. Example: <programlisting>â¦
+[Service]
+ExecStartPre=-/sbin/modprobe -abq loop
+DeviceAllow=block-loop
+DeviceAllow=/dev/loop-control
+â¦</programlisting></para>
+
         </listitem>
       </varlistentry>
 
-- 
2.47.3

