DevicePolicy setting
The property DevicePolicy is a systemd unit setting used for sandboxing. It is available since systemd 208.
Purpose: define level of access to devices in /dev
Why and when to use DevicePolicy
The setting DevicePolicy aims to reduce access to devices in /dev. By default, there is no limitation to access devices.
Settings
The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. Unless output is being redirect to /dev/null, then access could be granted with DeviceAllow=/dev/null.
Generic advice
Aim for using ‘strict’ when possible and define entries that should be allowed. To discover files used by a binary, consider inspecting it with the strings command or look at open files from a running process with lsof.
Values
Systemd unit setting DevicePolicy expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| auto | normal access allowed to /dev if there is no DeviceAllow= configured - default | |
| closed | Only access to /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom, and those configured in DeviceAllow= | |
| strict | Only access to devices configured with DeviceAllow |
Example to show the current value of DevicePolicy for the ssh service:
systemctl show --property=DevicePolicy ssh.service
