Am 21.08.2018 um 09:57 schrieb Umut Tezduyar Lindskog: > I am turning on PrivateDevices and as a result getting a minimal /dev > tree for my service. Then I would like to add some selected devices > with DevicePolicy=auto & DeviceAllow=/dev/cam0. As a result, I don't > see the device /dev/cam0 in the /dev tree and since the mount space is > RO, I cannot create the device node either. However, the device cgroup > has the right permissions
the whole point of "DevicePolicy" is to be more specific than PrivateDevices, sample below is the caching disk for Apache Trafficerver anmd when you read the docs this is "PrivateDevices + /dev/sdc" cat /etc/systemd/system/trafficserver.service.d/security-devices.conf [Service] DevicePolicy=closed DeviceAllow=/dev/sdc rw i really don't see how it would make sense use *both* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html DevicePolicy=auto|closed|strict closed in addition, allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
