1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

man: cross-reference DeviceAllow= and PrivateDevices=

They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-09-08 15:46:17 +02:00
parent ce0458be09
commit a14e028e86
2 changed files with 35 additions and 23 deletions

View File

@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<varlistentry>
<term><varname>PrivateDevices=</varname></term>
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for the
executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
<filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it,
but no physical devices such as <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>,
system ports <filename>/dev/port</filename> and others. This is useful to securely turn off physical device
access by the executed process. Defaults to false. Enabling this option will install a system call filter to
block low-level I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove
<constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the
unit (see above), and set <varname>DevicePolicy=closed</varname> (see
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for
the executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
<filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY
subsystem) to it, but no physical devices such as <filename>/dev/sda</filename>, system memory
<filename>/dev/mem</filename>, system ports <filename>/dev/port</filename> and others. This is useful
to turn off physical device access by the executed process. Defaults to false.</para>
<para>Enabling this option will install a system call filter to block low-level I/O system calls that
are grouped in the <varname>@raw-io</varname> set, remove <constant>CAP_MKNOD</constant> and
<constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the unit, and set
<varname>DevicePolicy=closed</varname> (see
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
(propagation in the opposite direction continues to work). This means that this setting may not be used for
services which shall be able to install mount points in the main mount namespace. The new
<filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try
to set up executable memory by using
for details). Note that using this setting will disconnect propagation of mounts from the service to
the host (propagation in the opposite direction continues to work). This means that this setting may
not be used for services which shall be able to install mount points in the main mount namespace. The
new <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old
programs which try to set up executable memory by using
<citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same
restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and
related calls, see above. If turned on and if running in user mode, or in system mode, but without the
<constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
<varname>NoNewPrivileges=yes</varname> is implied.</para>
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the
same restrictions regarding mount propagation and privileges apply as for
<varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user
mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
<varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para>
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not
available), and the unit should be written in a way that does not solely rely on this setting for
security.</para>
<para>Note that the implementation of this setting might be impossible (for example if mount
namespaces are not available), and the unit should be written in a way that does not solely rely on
this setting for security.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-only.xml" xpointer="singular"/>
<para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname>
setting might be used instead. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting>
url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>.
In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para>
<para>When access to <emphasis>all</emphasis> physical devices should be disallowed,
<varname>PrivateDevices=</varname> may be used instead. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
<para>The device node specifier is either a path to a device node in the file system, starting with
<filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
<literal>block-</literal> followed by a device group name, as listed in