On 01/27/15 21:40, Lennart Poettering wrote:
> On Tue, 27.01.15 21:38, Topi Miettinen (toiwo...@gmail.com) wrote:
>
CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
DevicePolicy=closed
DeviceAllow=block-sd r
DeviceAllow=/dev/sda r
DeviceAllow=/dev/sdb r
works
On 01/27/15 21:35, Lennart Poettering wrote:
> On Tue, 27.01.15 21:32, Topi Miettinen (toiwo...@gmail.com) wrote:
>
>> On 01/27/15 20:48, Lennart Poettering wrote:
>>> On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
>>>
On 01/26/15 23:46, Lennart Poettering wrote:
>> Bu
On Tue, 27.01.15 21:38, Topi Miettinen (toiwo...@gmail.com) wrote:
> >> CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
> >> DevicePolicy=closed
> >> DeviceAllow=block-sd r
> >> DeviceAllow=/dev/sda r
> >> DeviceAllow=/dev/sdb r
> >> works fine here.
> >
> > You should be able to reduce
On 01/27/15 20:52, Lennart Poettering wrote:
> On Tue, 27.01.15 18:51, Topi Miettinen (toiwo...@gmail.com) wrote:
>
>> On 01/26/15 21:04, Lennart Poettering wrote:
>>> On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
>>>
On 01/26/15 12:41, Simon McVittie wrote:
> On 24/0
On Tue, 27.01.15 21:32, Topi Miettinen (toiwo...@gmail.com) wrote:
> On 01/27/15 20:48, Lennart Poettering wrote:
> > On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
> >
> >> On 01/26/15 23:46, Lennart Poettering wrote:
> But independently of the PrivateDevices thing, woul
On 01/27/15 20:48, Lennart Poettering wrote:
> On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
>
>> On 01/26/15 23:46, Lennart Poettering wrote:
But independently of the PrivateDevices thing, would you think
tmpfiles.d could be extended to be usable for unit specific c
On Tue, 27.01.15 18:51, Topi Miettinen (toiwo...@gmail.com) wrote:
> On 01/26/15 21:04, Lennart Poettering wrote:
> > On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
> >
> >> On 01/26/15 12:41, Simon McVittie wrote:
> >>> On 24/01/15 10:09, Topi Miettinen wrote:
> For exam
On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
> On 01/26/15 23:46, Lennart Poettering wrote:
> >> But independently of the PrivateDevices thing, would you think
> >> tmpfiles.d could be extended to be usable for unit specific cases
> >> instead of just one global setup? I thin
On 01/26/15 23:46, Lennart Poettering wrote:
>> But independently of the PrivateDevices thing, would you think
>> tmpfiles.d could be extended to be usable for unit specific cases
>> instead of just one global setup? I think there could be more uses, for
>> example, creating directories and links i
On 01/26/15 21:04, Lennart Poettering wrote:
> On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
>
>> On 01/26/15 12:41, Simon McVittie wrote:
>>> On 24/01/15 10:09, Topi Miettinen wrote:
For example, smartd only needs access to /dev/sd*.
>>>
>>> Let me spell that differently
On Mon, 26.01.15 17:25, Topi Miettinen (toiwo...@gmail.com) wrote:
> On 01/26/15 16:13, Lennart Poettering wrote:
> > On Sat, 24.01.15 10:09, Topi Miettinen (toiwo...@gmail.com) wrote:
> >
> >> Hello,
> >>
> >> It would be useful to be able to use PrivateDevices with additional
> >> devices to th
On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
> On 01/26/15 12:41, Simon McVittie wrote:
> > On 24/01/15 10:09, Topi Miettinen wrote:
> >> For example, smartd only needs access to /dev/sd*.
> >
> > Let me spell that differently: smartd "only" needs the ability to make
> > arb
On 01/26/15 16:13, Lennart Poettering wrote:
> On Sat, 24.01.15 10:09, Topi Miettinen (toiwo...@gmail.com) wrote:
>
>> Hello,
>>
>> It would be useful to be able to use PrivateDevices with additional
>> devices to the basic set (null, zero, urandom etc). For example, smartd
>> only needs access to
On 01/26/15 12:41, Simon McVittie wrote:
> On 24/01/15 10:09, Topi Miettinen wrote:
>> For example, smartd only needs access to /dev/sd*.
>
> Let me spell that differently: smartd "only" needs the ability to make
> arbitrary filesystem changes, defeating any possible configurable
> security mechan
On Sat, 24.01.15 10:09, Topi Miettinen (toiwo...@gmail.com) wrote:
> Hello,
>
> It would be useful to be able to use PrivateDevices with additional
> devices to the basic set (null, zero, urandom etc). For example, smartd
> only needs access to /dev/sd*. It would be a bit complex to do this
> wit
On 24/01/15 10:09, Topi Miettinen wrote:
> For example, smartd only needs access to /dev/sd*.
Let me spell that differently: smartd "only" needs the ability to make
arbitrary filesystem changes, defeating any possible configurable
security mechanism.
If you give it access to /dev/sd* but not to o
Hello,
It would be useful to be able to use PrivateDevices with additional
devices to the basic set (null, zero, urandom etc). For example, smartd
only needs access to /dev/sd*. It would be a bit complex to do this
without help of systemd, you would have to set up the private /dev
filesystem by ha
17 matches
Mail list logo
