« Back to Settings for systemd units

DeviceAllow setting

The property DeviceAllow is a systemd unit setting used for sandboxing. It is available since systemd 208.

Purpose: define level of access to devices in /dev

Why and when to use DeviceAllow

By default, there is no limitation to access devices by systemd units. The setting DeviceAllow aims to reduce device access, typically those available within /dev. If this setting is defined, then access to devices will be limited.

Settings

Define DeviceAllow with a path or string and optionally an access level. When using a path, using the full path to a file (/dev/sda1). A string can be used to define a particular type of device (char-rtc) or a group (char-*) by using a wildcard. If DevicePolicy is not specifically configured, access to a few generic devices will be also allowed ( /dev/full , /dev/null , /dev/random , /dev/urandom , /dev/zero ).

DeviceAllow=/dev/sda3 r

Other examples:

DeviceAllow=/dev/sda1
DeviceAllow=block-*
DeviceAllow=char-*
DeviceAllow=char-rtc r

See /proc/devices for available character and block devices. Prefix them with their class (char or block) like in the examples.

General advice

For most services it might be easier to use ProtectDevices (with value yes) or set DevicePolicy to reduce the devices that can be accessed.

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon