Here is a proof that this kind of limiting for devices actually works. This service is trying to read the first byte of `/dev/sda1` but is allowed to access `/dev/zero` only:
~~~~~~~ [Unit] Description=test [Service] Type=oneshot ExecStart=/bin/head /dev/sda1 -c 1 DeviceAllow=/dev/zero r DevicePolicy=strict ~~~~~~~~~~ ~~~~~~~~~ # systemctl start bar.service Job for bar.service failed. See 'systemctl status bar.service' and 'journalctl -xn' for details. # systemctl status bar.service <...> Jun 04 11:30:53 kirNote head[26237]: /bin/head: cannot open ‘/dev/sda1’ for reading: Operation not permitted Jun 04 11:30:53 kirNote systemd[1]: bar.service: main process exited, code=exited, status=1/FAILURE Jun 04 11:30:53 kirNote systemd[1]: Failed to start test. Jun 04 11:30:53 kirNote systemd[1]: Unit bar.service entered failed state. ~~~~~~~~~~~~~~~~ -- Кирилл Елагин On Wed, Jun 4, 2014 at 11:29 AM, Kirill Elagin <kirela...@gmail.com> wrote: > Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two > space-separated strings: a device node path (such as /dev/null) followed by > a combination of r, w, m”. > > But that's not the main issue here. The main issue here is that > devices.allow and devices.deny control access to _devices_. > Your own user doesn't have write access to `/dev/sda`, but, somehow, you > still can create files in your home directory, right? That's because file > creation (and actually all the filessytem access) is done through kernel > interfaces, not by reading/writing devices nodes directly (that would be > kind insecure, right?). > > I can't come up with a proper solution to limit FS access if your process > will be running as root. > > > -- > Кирилл Елагин > > > On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagr...@redhat.com> > wrote: > >> Hi Kirill, >> >> >> Thanks for your valuable reply.As per man page DeviceAllow(Use to control >> access to specific device nodes by the executed process,This also controls >> the devices.allow and devices.deny both My query is how it is controls the >> device.deny),I am assuming after update DevicePolicy to strict means only >> process can be used allowed type of devices no other devices but after add >> the DevicePolicy also it is trying to create the file on /root/file_1. >> >> DeviceAllow= >> Control access to specific device nodes by the executed >> processes. Takes two space-separated strings: a device node >> path >> (such as /dev/null) followed by a combination of r, w, m to >> control reading, writing, or creation of the specific device >> node >> by the unit (mknod), respectively. This controls the >> "devices.allow" and "devices.deny" control group attributes. >> For >> details about these control group attributes, see >> devices.txt[4]. >> >> DevicePolicy=auto|closed|strict >> Control the policy for allowing device access: >> >> strict >> means to only allow types of access that are explicitly >> specified. >> >> [Unit] >> Description=mydevblock >> [Service] >> DeviceAllow=/dev/zero >> DevicePolicy=strict >> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400 >> Restart=always >> [Install] >> WantedBy=multi-user.target >> >> I believe it should restrict to create the file . >> >> >> Regards >> Mohit Agrawal >> >> >> >> ----- Original Message ----- >> From: "Kirill Elagin" <kirela...@gmail.com> >> To: "Mohit Agrawal" <moagr...@redhat.com> >> Cc: "systemd Mailing List" <systemd-devel@lists.freedesktop.org> >> Sent: Wednesday, June 4, 2014 12:17:46 PM >> Subject: Re: [systemd-devel] How to Restrict device in systemd? >> >> First of all, according to docs, `DeviceAllow` syntax is somewhat >> different >> from what you have. >> Second, you might want to check `DevicePolicy`, as now your unit has >> access >> not only to `/dev/zero`, but also to four other devices. >> >> And hm, I thought, those directives control access to device nodes. Why >> are >> you expecting them to limit access to the filesystem? >> >> >> -- >> Кирилл Елагин >> >> >> On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagr...@redhat.com> >> wrote: >> >> > Hi, >> > >> > I want to block the device through the systemd cgroup so I have created >> a >> > below unit file >> > >> > [Unit] >> > Description=mydevblock >> > [Service] >> > DeviceAllow=/dev/zero >> > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40 >> > Restart=always >> > [Install] >> > WantedBy=multi-user.target >> > >> > >> > As per my understanding in this unit file I have allowed only /dev/zero >> > device so dd command should not create the file_1 successfully it should >> > give the error . >> > >> > systemctl start mydevblock.service >> > >> > Below is the status after start the service and file_1 is successfully >> > created >> > >> > [host-name ~]# systemctl status mydevblock.service >> > ● mydev.service - mydevblock >> > Loaded: loaded (/etc/systemd/system/mydev.service; disabled) >> > Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 >> IST; >> > 831ms ago >> > Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 >> bs=1M >> > count=40 (code=exited, status=0/SUCCESS) >> > Main PID: 27800 (code=exited, status=0/SUCCESS) >> > >> > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over, >> > scheduling restart. >> > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock... >> > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock... >> > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request >> > repeated too quickly, refusing to start. >> > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock. >> > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered >> failed >> > state. >> > >> > [host-name> ~]# ls -lrt >> > -rw-r--r--. 1 root root 41943040 Jun 4 11:32 file_1 >> > >> > >> > Can someone reply why file_1 is created successfully? >> > Do anyone have idea how can i put the restriction on device? >> > Appreciate your inputs on this. >> > >> > >> > Regards >> > Mohit Agrawal >> > _______________________________________________ >> > systemd-devel mailing list >> > systemd-devel@lists.freedesktop.org >> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> > >> > >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
