By the way, reading throw the NEWS I thought you might be interested in `InaccessibleDirectories=/` or something like that
-- Кирилл Елагин On Wed, Jun 4, 2014 at 1:18 PM, Mohit Agrawal <moagr...@redhat.com> wrote: > Hi, > > Thanks to share the example of unit file,now query is resolved. > > > Regards > Mohit Agrawal > > ----- Original Message ----- > From: "Kirill Elagin" <kirela...@gmail.com> > To: "Mohit Agrawal" <moagr...@redhat.com> > Cc: "systemd Mailing List" <systemd-devel@lists.freedesktop.org> > Sent: Wednesday, June 4, 2014 1:03:47 PM > Subject: Re: [systemd-devel] How to Restrict device in systemd? > > Here is a proof that this kind of limiting for devices actually works. This > service is trying to read the first byte of `/dev/sda1` but is allowed to > access `/dev/zero` only: > > ~~~~~~~ > [Unit] > Description=test > [Service] > Type=oneshot > ExecStart=/bin/head /dev/sda1 -c 1 > DeviceAllow=/dev/zero r > DevicePolicy=strict > ~~~~~~~~~~ > > ~~~~~~~~~ > # systemctl start bar.service > Job for bar.service failed. See 'systemctl status bar.service' and > 'journalctl -xn' for details. > > # systemctl status bar.service > <...> > Jun 04 11:30:53 kirNote head[26237]: /bin/head: cannot open ‘/dev/sda1’ for > reading: Operation not permitted > Jun 04 11:30:53 kirNote systemd[1]: bar.service: main process exited, > code=exited, status=1/FAILURE > Jun 04 11:30:53 kirNote systemd[1]: Failed to start test. > Jun 04 11:30:53 kirNote systemd[1]: Unit bar.service entered failed state. > ~~~~~~~~~~~~~~~~ > > > > -- > Кирилл Елагин > > > On Wed, Jun 4, 2014 at 11:29 AM, Kirill Elagin <kirela...@gmail.com> > wrote: > > > Well, first of all, your `DeviceAllow` syntax is still wrong. “Takes two > > space-separated strings: a device node path (such as /dev/null) followed > by > > a combination of r, w, m”. > > > > But that's not the main issue here. The main issue here is that > > devices.allow and devices.deny control access to _devices_. > > Your own user doesn't have write access to `/dev/sda`, but, somehow, you > > still can create files in your home directory, right? That's because file > > creation (and actually all the filessytem access) is done through kernel > > interfaces, not by reading/writing devices nodes directly (that would be > > kind insecure, right?). > > > > I can't come up with a proper solution to limit FS access if your process > > will be running as root. > > > > > > -- > > Кирилл Елагин > > > > > > On Wed, Jun 4, 2014 at 11:16 AM, Mohit Agrawal <moagr...@redhat.com> > > wrote: > > > >> Hi Kirill, > >> > >> > >> Thanks for your valuable reply.As per man page DeviceAllow(Use to > control > >> access to specific device nodes by the executed process,This also > controls > >> the devices.allow and devices.deny both My query is how it is controls > the > >> device.deny),I am assuming after update DevicePolicy to strict means > only > >> process can be used allowed type of devices no other devices but after > add > >> the DevicePolicy also it is trying to create the file on /root/file_1. > >> > >> DeviceAllow= > >> Control access to specific device nodes by the executed > >> processes. Takes two space-separated strings: a device node > >> path > >> (such as /dev/null) followed by a combination of r, w, m to > >> control reading, writing, or creation of the specific device > >> node > >> by the unit (mknod), respectively. This controls the > >> "devices.allow" and "devices.deny" control group attributes. > >> For > >> details about these control group attributes, see > >> devices.txt[4]. > >> > >> DevicePolicy=auto|closed|strict > >> Control the policy for allowing device access: > >> > >> strict > >> means to only allow types of access that are explicitly > >> specified. > >> > >> [Unit] > >> Description=mydevblock > >> [Service] > >> DeviceAllow=/dev/zero > >> DevicePolicy=strict > >> ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=400 > >> Restart=always > >> [Install] > >> WantedBy=multi-user.target > >> > >> I believe it should restrict to create the file . > >> > >> > >> Regards > >> Mohit Agrawal > >> > >> > >> > >> ----- Original Message ----- > >> From: "Kirill Elagin" <kirela...@gmail.com> > >> To: "Mohit Agrawal" <moagr...@redhat.com> > >> Cc: "systemd Mailing List" <systemd-devel@lists.freedesktop.org> > >> Sent: Wednesday, June 4, 2014 12:17:46 PM > >> Subject: Re: [systemd-devel] How to Restrict device in systemd? > >> > >> First of all, according to docs, `DeviceAllow` syntax is somewhat > >> different > >> from what you have. > >> Second, you might want to check `DevicePolicy`, as now your unit has > >> access > >> not only to `/dev/zero`, but also to four other devices. > >> > >> And hm, I thought, those directives control access to device nodes. Why > >> are > >> you expecting them to limit access to the filesystem? > >> > >> > >> -- > >> Кирилл Елагин > >> > >> > >> On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <moagr...@redhat.com> > >> wrote: > >> > >> > Hi, > >> > > >> > I want to block the device through the systemd cgroup so I have > created > >> a > >> > below unit file > >> > > >> > [Unit] > >> > Description=mydevblock > >> > [Service] > >> > DeviceAllow=/dev/zero > >> > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40 > >> > Restart=always > >> > [Install] > >> > WantedBy=multi-user.target > >> > > >> > > >> > As per my understanding in this unit file I have allowed only > /dev/zero > >> > device so dd command should not create the file_1 successfully it > should > >> > give the error . > >> > > >> > systemctl start mydevblock.service > >> > > >> > Below is the status after start the service and file_1 is successfully > >> > created > >> > > >> > [host-name ~]# systemctl status mydevblock.service > >> > ● mydev.service - mydevblock > >> > Loaded: loaded (/etc/systemd/system/mydev.service; disabled) > >> > Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 > >> IST; > >> > 831ms ago > >> > Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 > >> bs=1M > >> > count=40 (code=exited, status=0/SUCCESS) > >> > Main PID: 27800 (code=exited, status=0/SUCCESS) > >> > > >> > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time > over, > >> > scheduling restart. > >> > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock... > >> > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock... > >> > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request > >> > repeated too quickly, refusing to start. > >> > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock. > >> > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered > >> failed > >> > state. > >> > > >> > [host-name> ~]# ls -lrt > >> > -rw-r--r--. 1 root root 41943040 Jun 4 11:32 file_1 > >> > > >> > > >> > Can someone reply why file_1 is created successfully? > >> > Do anyone have idea how can i put the restriction on device? > >> > Appreciate your inputs on this. > >> > > >> > > >> > Regards > >> > Mohit Agrawal > >> > _______________________________________________ > >> > systemd-devel mailing list > >> > systemd-devel@lists.freedesktop.org > >> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > >> > > >> > > > > >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel