Re: [systemd-devel] PrivateDevices= together with DevicePolicy=

2018-09-10 Thread Lennart Poettering 
On Di, 21.08.18 09:57, Umut Tezduyar Lindskog (u...@tezduyar.com) wrote:

> Hi,
> 
> I am turning on PrivateDevices and as a result getting a minimal /dev
> tree for my service. Then I would like to add some selected devices
> with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
> see the device /dev/cam0 in the /dev tree and since the mount space is
> RO, I cannot create the device node either. However, the device cgroup
> has the right permissions.
> 
> Could you please explain if this is the expected behaviour?

Yupp it is. Hmm, you should be able to make this work by using
BindPaths=/dev/cam0 however. IIRC we will apply this before making
/dev read-only, and thus should make the device available in your /dev
instance.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices= together with DevicePolicy=

2018-08-21 Thread Reindl Harald 


Am 21.08.2018 um 09:57 schrieb Umut Tezduyar Lindskog:
> I am turning on PrivateDevices and as a result getting a minimal /dev
> tree for my service. Then I would like to add some selected devices
> with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
> see the device /dev/cam0 in the /dev tree and since the mount space is
> RO, I cannot create the device node either. However, the device cgroup
> has the right permissions

the whole point of "DevicePolicy" is to be more specific than
PrivateDevices, sample below is the caching disk for Apache Trafficerver
anmd when you read the docs this is "PrivateDevices + /dev/sdc"

cat /etc/systemd/system/trafficserver.service.d/security-devices.conf
[Service]
DevicePolicy=closed
DeviceAllow=/dev/sdc rw

i really don't see how it would make sense use *both*

https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html

DevicePolicy=auto|closed|strict
closed in addition, allows access to standard pseudo devices including
/dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] PrivateDevices= together with DevicePolicy=

2018-08-21 Thread Umut Tezduyar Lindskog 
Hi,

I am turning on PrivateDevices and as a result getting a minimal /dev
tree for my service. Then I would like to add some selected devices
with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't
see the device /dev/cam0 in the /dev tree and since the mount space is
RO, I cannot create the device node either. However, the device cgroup
has the right permissions.

Could you please explain if this is the expected behaviour?

systemd 239

-PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT -UTMP
-LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS
+KMOD -IDN2 -IDN -PCRE2 default-hierarchy=legacy

cat a.service
[Service]
PrivateDevices=yes
DevicePolicy=auto
DeviceAllow=/dev/cam0
ExecStart=/bin/sh -c "ls -al /dev && cat
/sys/fs/cgroup/devices/system.slice/a.service/devices.list"

Aug 21 06:17:32 axis-accc systemd[1]: Started a.service.
Aug 21 06:17:32 axis-accc sh[5340]: drwxr-xr-x6 root
root   380 Aug 21 06:17 .
Aug 21 06:17:32 axis-accc sh[5340]: drwxr-xr-x   15 root
root  1520 Aug 20 14:06 ..
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root11 Aug 21 06:17 core -> /proc/kcore
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root13 Aug 21 06:17 fd -> /proc/self/fd
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root1,   7 Aug 21 06:17 full
Aug 21 06:17:32 axis-accc sh[5340]: drwxr-xr-x2 root
root40 Aug 21 06:17 hugepages
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root28 Aug 21 06:17 log -> /run/systemd/journal/dev-log
Aug 21 06:17:32 axis-accc sh[5340]: drwxr-xr-x2 root
root40 Aug 21 06:17 mqueue
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root1,   3 Aug 21 06:17 null
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root5,   2 Aug 21 06:17 ptmx
Aug 21 06:17:32 axis-accc sh[5340]: drwxr-xr-x2 root
root 0 Aug 21 06:12 pts
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root1,   8 Aug 21 06:17 random
Aug 21 06:17:32 axis-accc sh[5340]: drwxrwxrwt2 root
root   100 Aug 21 06:13 shm
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root15 Aug 21 06:17 stderr -> /proc/self/fd/2
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root15 Aug 21 06:17 stdin -> /proc/self/fd/0
Aug 21 06:17:32 axis-accc sh[5340]: lrwxrwxrwx1 root
root15 Aug 21 06:17 stdout -> /proc/self/fd/1
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root5,   0 Aug 21 06:17 tty
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root1,   9 Aug 21 06:17 urandom
Aug 21 06:17:32 axis-accc sh[5340]: crw-rw-rw-1 root
root1,   5 Aug 21 06:17 zero
Aug 21 06:17:32 axis-accc sh[5340]: c 1:3 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 1:5 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 1:7 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 1:8 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 1:9 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 5:0 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 5:2 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 0:0 rwm
Aug 21 06:17:32 axis-accc sh[5340]: b 0:0 rwm
Aug 21 06:17:32 axis-accc sh[5340]: c 136:* rw
Aug 21 06:17:32 axis-accc sh[5340]: c 61:0 rwm
Aug 21 06:17:32 axis-accc systemd[1]: a.service: Consumed 64ms CPU time

root@axis-accc:/etc/systemd/system# ls -al /dev | grep cam0
crw-rw-rw-1 root video  61,   0 Aug 20 13:52 cam0


Umut
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel