DevicePolicy setting
This article has last been updated at .
The property DevicePolicy is a systemd unit setting used for sandboxing. It is available since systemd 208.
Purpose: define level of access to devices in /dev
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use DevicePolicy
Systemd has the setting DevicePolicy that aims to reduce access to devices in /dev. By default, there is no limitation to access devices.
Settings
The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. With DeviceAllow access to some paths can be granted. See this setting to find out how to determine what devices are being accessed.
Generic advice
Aim for using ‘strict’ when possible and define entries that should be allowed. To discover files used by a binary, consider inspecting it with the strings command or look at open files from a running process with lsof.
Values
Systemd unit setting DevicePolicy expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| auto | normal access allowed to /dev if there is no DeviceAllow= configured - default | |
| closed | Only access to /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom, and those configured in DeviceAllow= | |
| strict | Only access to devices configured with DeviceAllow |
Example to show the current value of DevicePolicy for the ssh service:
systemctl show --property=DevicePolicy ssh.service
