man: cross-reference DeviceAllow= and PrivateDevices=

They are somewhat similar, but not easy to discover, esp. considering that they are described in different pages. For PrivateDevices=, split out the first paragraph that gives the high-level overview. (The giant second paragraph could also use some heavy editing to break it up into more digestible chunks, alas.)
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2021-09-08 15:46:17 +0200
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2021-09-27 09:19:02 +0200
commit: a14e028e869739021482c86ef3aeb861b0342dd4 (patch)
tree: 4cb4d13a48efca79be6d62fcbf1185189b622bda /man
parent: ce0458be09911e75bfd3b4d802c9594c55a9c98d (diff)
download: systemd-a14e028e869739021482c86ef3aeb861b0342dd4.tar.gz
2 files changed, 35 insertions, 23 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index eadfc02421..ddcd0f1c25 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
       <varlistentry>
         <term><varname>PrivateDevices=</varname></term>
 
-        <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for the
-        executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
-        <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it,
-        but no physical devices such as <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>,
-        system ports <filename>/dev/port</filename> and others. This is useful to securely turn off physical device
-        access by the executed process. Defaults to false. Enabling this option will install a system call filter to
-        block low-level I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove
-        <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the
-        unit (see above), and set <varname>DevicePolicy=closed</varname> (see
+        <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for
+        the executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
+        <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY
+        subsystem) to it, but no physical devices such as <filename>/dev/sda</filename>, system memory
+        <filename>/dev/mem</filename>, system ports <filename>/dev/port</filename> and others. This is useful
+        to turn off physical device access by the executed process. Defaults to false.</para>
+
+        <para>Enabling this option will install a system call filter to block low-level I/O system calls that
+        are grouped in the <varname>@raw-io</varname> set, remove <constant>CAP_MKNOD</constant> and
+        <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the unit, and set
+        <varname>DevicePolicy=closed</varname> (see
         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        for details). Note that using this setting will disconnect propagation of mounts from the service to the host
-        (propagation in the opposite direction continues to work). This means that this setting may not be used for
-        services which shall be able to install mount points in the main mount namespace. The new
-        <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try
-        to set up executable memory by using
+        for details). Note that using this setting will disconnect propagation of mounts from the service to
+        the host (propagation in the opposite direction continues to work). This means that this setting may
+        not be used for services which shall be able to install mount points in the main mount namespace. The
+        new <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old
+        programs which try to set up executable memory by using
         <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
-        <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same
-        restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and
-        related calls, see above. If turned on and if running in user mode, or in system mode, but without the
-        <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
-        <varname>NoNewPrivileges=yes</varname> is implied.</para>
+        <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the
+        same restrictions regarding mount propagation and privileges apply as for
+        <varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user
+        mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
+        <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para>
 
-        <para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not
-        available), and the unit should be written in a way that does not solely rely on this setting for
-        security.</para>
+        <para>Note that the implementation of this setting might be impossible (for example if mount
+        namespaces are not available), and the unit should be written in a way that does not solely rely on
+        this setting for security.</para>
 
-        <xi:include href="system-only.xml" xpointer="singular"/></listitem>
+        <xi:include href="system-only.xml" xpointer="singular"/>
+
+        <para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname>
+        setting might be used instead. See
+        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index ea728dff33..b21f8575a0 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting>
           url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>.
           In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para>
 
+          <para>When access to <emphasis>all</emphasis> physical devices should be disallowed,
+          <varname>PrivateDevices=</varname> may be used instead. See
+          <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+          </para>
+
           <para>The device node specifier is either a path to a device node in the file system, starting with
           <filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
           <literal>block-</literal> followed by a device group name, as listed in
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2021-09-08 15:46:17 +0200
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2021-09-27 09:19:02 +0200
commit	a14e028e869739021482c86ef3aeb861b0342dd4 (patch)
tree	4cb4d13a48efca79be6d62fcbf1185189b622bda /man
parent	ce0458be09911e75bfd3b4d802c9594c55a9c98d (diff)
download	systemd-a14e028e869739021482c86ef3aeb861b0342dd4.tar.gz