diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-09-08 15:46:17 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-09-27 09:19:02 +0200 |
commit | a14e028e869739021482c86ef3aeb861b0342dd4 (patch) | |
tree | 4cb4d13a48efca79be6d62fcbf1185189b622bda /man | |
parent | ce0458be09911e75bfd3b4d802c9594c55a9c98d (diff) | |
download | systemd-a14e028e869739021482c86ef3aeb861b0342dd4.tar.gz |
man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.
For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 53 | ||||
-rw-r--r-- | man/systemd.resource-control.xml | 5 |
2 files changed, 35 insertions, 23 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index eadfc02421..ddcd0f1c25 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <varlistentry> <term><varname>PrivateDevices=</varname></term> - <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for the - executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>, - <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, - but no physical devices such as <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, - system ports <filename>/dev/port</filename> and others. This is useful to securely turn off physical device - access by the executed process. Defaults to false. Enabling this option will install a system call filter to - block low-level I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove - <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the - unit (see above), and set <varname>DevicePolicy=closed</varname> (see + <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for + the executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>, + <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY + subsystem) to it, but no physical devices such as <filename>/dev/sda</filename>, system memory + <filename>/dev/mem</filename>, system ports <filename>/dev/port</filename> and others. This is useful + to turn off physical device access by the executed process. Defaults to false.</para> + + <para>Enabling this option will install a system call filter to block low-level I/O system calls that + are grouped in the <varname>@raw-io</varname> set, remove <constant>CAP_MKNOD</constant> and + <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the unit, and set + <varname>DevicePolicy=closed</varname> (see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details). Note that using this setting will disconnect propagation of mounts from the service to the host - (propagation in the opposite direction continues to work). This means that this setting may not be used for - services which shall be able to install mount points in the main mount namespace. The new - <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try - to set up executable memory by using + for details). Note that using this setting will disconnect propagation of mounts from the service to + the host (propagation in the opposite direction continues to work). This means that this setting may + not be used for services which shall be able to install mount points in the main mount namespace. The + new <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old + programs which try to set up executable memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of - <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same - restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and - related calls, see above. If turned on and if running in user mode, or in system mode, but without the - <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), - <varname>NoNewPrivileges=yes</varname> is implied.</para> + <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the + same restrictions regarding mount propagation and privileges apply as for + <varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user + mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting + <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para> - <para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not - available), and the unit should be written in a way that does not solely rely on this setting for - security.</para> + <para>Note that the implementation of this setting might be impossible (for example if mount + namespaces are not available), and the unit should be written in a way that does not solely rely on + this setting for security.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-only.xml" xpointer="singular"/> + + <para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname> + setting might be used instead. See + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index ea728dff33..b21f8575a0 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting> url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>. In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para> + <para>When access to <emphasis>all</emphasis> physical devices should be disallowed, + <varname>PrivateDevices=</varname> may be used instead. See + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para> + <para>The device node specifier is either a path to a device node in the file system, starting with <filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or <literal>block-</literal> followed by a device group name, as listed in |