Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two space-separated strings: a device node path (such as /dev/null) followed by a combination of r, w, m”.
But that's not the main issue here. The main issue here is that devices.allow and devices.deny control access to _devices_. Your own user doesn't have write access to `/dev/sda`, but, somehow, you still can create files in your home directory, right? That's because file creation (and actually all the filessytem access) is done through kernel interfaces, not by reading/writing devices nodes directly (that would be kind insecure, right?). I can't come up with a proper solution to limit FS access if your process will be running as root. -- Кирилл Елагин On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagr...@redhat.com> wrote: > Hi Kirill, > > > Thanks for your valuable reply.As per man page DeviceAllow(Use to control > access to specific device nodes by the executed process,This also controls > the devices.allow and devices.deny both My query is how it is controls the > device.deny),I am assuming after update DevicePolicy to strict means only > process can be used allowed type of devices no other devices but after add > the DevicePolicy also it is trying to create the file on /root/file_1. > > DeviceAllow= > Control access to specific device nodes by the executed > processes. Takes two space-separated strings: a device node path > (such as /dev/null) followed by a combination of r, w, m to > control reading, writing, or creation of the specific device > node > by the unit (mknod), respectively. This controls the > "devices.allow" and "devices.deny" control group attributes. For > details about these control group attributes, see > devices.txt[4]. > > DevicePolicy=auto|closed|strict > Control the policy for allowing device access: > > strict > means to only allow types of access that are explicitly > specified. > > [Unit] > Description=mydevblock > [Service] > DeviceAllow=/dev/zero > DevicePolicy=strict > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400 > Restart=always > [Install] > WantedBy=multi-user.target > > I believe it should restrict to create the file . > > > Regards > Mohit Agrawal > > > > ----- Original Message ----- > From: "Kirill Elagin" <kirela...@gmail.com> > To: "Mohit Agrawal" <moagr...@redhat.com> > Cc: "systemd Mailing List" <systemd-devel@lists.freedesktop.org> > Sent: Wednesday, June 4, 2014 12:17:46 PM > Subject: Re: [systemd-devel] How to Restrict device in systemd? > > First of all, according to docs, `DeviceAllow` syntax is somewhat different > from what you have. > Second, you might want to check `DevicePolicy`, as now your unit has access > not only to `/dev/zero`, but also to four other devices. > > And hm, I thought, those directives control access to device nodes. Why are > you expecting them to limit access to the filesystem? > > > -- > Кирилл Елагин > > > On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagr...@redhat.com> > wrote: > > > Hi, > > > > I want to block the device through the systemd cgroup so I have created a > > below unit file > > > > [Unit] > > Description=mydevblock > > [Service] > > DeviceAllow=/dev/zero > > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40 > > Restart=always > > [Install] > > WantedBy=multi-user.target > > > > > > As per my understanding in this unit file I have allowed only /dev/zero > > device so dd command should not create the file_1 successfully it should > > give the error . > > > > systemctl start mydevblock.service > > > > Below is the status after start the service and file_1 is successfully > > created > > > > [host-name ~]# systemctl status mydevblock.service > > ● mydev.service - mydevblock > > Loaded: loaded (/etc/systemd/system/mydev.service; disabled) > > Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 > IST; > > 831ms ago > > Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M > > count=40 (code=exited, status=0/SUCCESS) > > Main PID: 27800 (code=exited, status=0/SUCCESS) > > > > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over, > > scheduling restart. > > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock... > > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock... > > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request > > repeated too quickly, refusing to start. > > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock. > > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed > > state. > > > > [host-name> ~]# ls -lrt > > -rw-r--r--. 1 root root 41943040 Jun 4 11:32 file_1 > > > > > > Can someone reply why file_1 is created successfully? > > Do anyone have idea how can i put the restriction on device? > > Appreciate your inputs on this. > > > > > > Regards > > Mohit Agrawal > > _______________________________________________ > > systemd-devel mailing list > > systemd-devel@lists.freedesktop.org > > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > > >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
