« Back to Settings for systemd units

DevicePolicy setting

The property DevicePolicy is a systemd unit setting used for sandboxing. It is available since systemd 208.

Purpose: define level of access to devices in /dev

Why and when to use DevicePolicy

The setting DevicePolicy aims to reduce access to devices in /dev. By default, there is no limitation to access devices.

Settings

The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. Unless output is being redirect to /dev/null, then access could be granted with DeviceAllow=/dev/null.

Generic advice

Aim for using ‘strict’ when possible and define entries that should be allowed. To discover files used by a binary, consider inspecting it with the strings command or look at open files from a running process with lsof.

Values

  • auto: normal access allowed to /dev if there is no DeviceAllow= configured - default
  • closed: Only access to /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom, and those configured in DeviceAllow=
  • strict: Only access to devices configured with DeviceAllow

Example to show the current value of DevicePolicy for the dmesg service:

systemctl show --property=DevicePolicy dmesg.service

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon