DevicePolicy setting
This systemd unit setting was added since systemd 208.
Purpose: define level of access to devices in /dev
Why and when to use DevicePolicy
The setting DevicePolicy aims to reduce access to devices in /dev. By default, there is no limitation to access devices.
Settings
The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. Unless output is being redirect to /dev/null, then access could be granted with DeviceAllow=/dev/null.
Generic advice
Aim for using ‘strict’ when possible and define entries that should be allowed. To discover files used by a binary, consider inspecting it with the strings command or look at open files from a running process with lsof.
Values
- auto: normal access allowed to /dev if there is no DeviceAllow= configured - default
- closed: Only access to /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom, and those configured in DeviceAllow=
- strict: Only access to devices configured with DeviceAllow
Example to show the current value of DevicePolicy for the dmesg service:
systemctl show --property=DevicePolicy dmesg.service