mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 05:18:17 +03:00
man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that they are described in different pages. For PrivateDevices=, split out the first paragraph that gives the high-level overview. (The giant second paragraph could also use some heavy editing to break it up into more digestible chunks, alas.)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
parent
ce0458be09
commit
a14e028e86
@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>PrivateDevices=</varname></term>
|
<term><varname>PrivateDevices=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for the
|
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for
|
||||||
executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
|
the executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
|
||||||
<filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it,
|
<filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY
|
||||||
but no physical devices such as <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>,
|
subsystem) to it, but no physical devices such as <filename>/dev/sda</filename>, system memory
|
||||||
system ports <filename>/dev/port</filename> and others. This is useful to securely turn off physical device
|
<filename>/dev/mem</filename>, system ports <filename>/dev/port</filename> and others. This is useful
|
||||||
access by the executed process. Defaults to false. Enabling this option will install a system call filter to
|
to turn off physical device access by the executed process. Defaults to false.</para>
|
||||||
block low-level I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove
|
|
||||||
<constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the
|
<para>Enabling this option will install a system call filter to block low-level I/O system calls that
|
||||||
unit (see above), and set <varname>DevicePolicy=closed</varname> (see
|
are grouped in the <varname>@raw-io</varname> set, remove <constant>CAP_MKNOD</constant> and
|
||||||
|
<constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the unit, and set
|
||||||
|
<varname>DevicePolicy=closed</varname> (see
|
||||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
|
for details). Note that using this setting will disconnect propagation of mounts from the service to
|
||||||
(propagation in the opposite direction continues to work). This means that this setting may not be used for
|
the host (propagation in the opposite direction continues to work). This means that this setting may
|
||||||
services which shall be able to install mount points in the main mount namespace. The new
|
not be used for services which shall be able to install mount points in the main mount namespace. The
|
||||||
<filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try
|
new <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old
|
||||||
to set up executable memory by using
|
programs which try to set up executable memory by using
|
||||||
<citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
|
<citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
|
||||||
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same
|
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the
|
||||||
restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and
|
same restrictions regarding mount propagation and privileges apply as for
|
||||||
related calls, see above. If turned on and if running in user mode, or in system mode, but without the
|
<varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user
|
||||||
<constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
|
mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
|
||||||
<varname>NoNewPrivileges=yes</varname> is implied.</para>
|
<varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para>
|
||||||
|
|
||||||
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not
|
<para>Note that the implementation of this setting might be impossible (for example if mount
|
||||||
available), and the unit should be written in a way that does not solely rely on this setting for
|
namespaces are not available), and the unit should be written in a way that does not solely rely on
|
||||||
security.</para>
|
this setting for security.</para>
|
||||||
|
|
||||||
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
|
<xi:include href="system-only.xml" xpointer="singular"/>
|
||||||
|
|
||||||
|
<para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname>
|
||||||
|
setting might be used instead. See
|
||||||
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|||||||
@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting>
|
|||||||
url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>.
|
url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>.
|
||||||
In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para>
|
In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para>
|
||||||
|
|
||||||
|
<para>When access to <emphasis>all</emphasis> physical devices should be disallowed,
|
||||||
|
<varname>PrivateDevices=</varname> may be used instead. See
|
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>The device node specifier is either a path to a device node in the file system, starting with
|
<para>The device node specifier is either a path to a device node in the file system, starting with
|
||||||
<filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
|
<filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
|
||||||
<literal>block-</literal> followed by a device group name, as listed in
|
<literal>block-</literal> followed by a device group name, as listed in
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user