DeviceAllow setting
This article has last been updated at .
The property DeviceAllow is a systemd unit setting used for sandboxing. It is available since systemd 208.
Purpose: Allow access to a device
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use DeviceAllow
Systemd does not restrict access devices by systemd units by default. The setting DeviceAllow aims to reduce device access, typically of those available within /dev. If this setting is defined, then access to devices will be restricted.
Settings
Define DeviceAllow with a path or string and optionally an access level. When using a path, using the full path to a file (/dev/sda1). A string can be used to define a particular type of device (char-rtc) or a group (char-*) by using a wildcard. If DevicePolicy is not specifically configured, access to a few generic devices will be also allowed ( /dev/full , /dev/null , /dev/random , /dev/urandom , /dev/zero ).
DeviceAllow=/dev/sda3 r
Other examples:
DeviceAllow=/dev/sda1
DeviceAllow=block-*
DeviceAllow=char-*
DeviceAllow=char-rtc r
See /proc/devices for available character and block devices. Prefix them with their class (char or block) like in the examples.
General advice
For most services it might be easier to use PrivateDevices (with value yes) or set DevicePolicy to reduce the devices that can be accessed.
Implementation
To find out what devices might be used by a service, there are multiple ways to discover them:
- Have a look at the source code of the program and look specific entries pointing to /dev
- Use the Linux audit framework to set a watch on /dev and monitor usage by a process
- Use the strings command on a binary and filter out all entries starting with /dev
