« Back to Settings for systemd units

PrivateDevices setting

The property PrivateDevices is a systemd unit setting used for sandboxing. It is available since systemd 209.

Purpose: only allow access to a subset of devices in /dev

Why and when to use PrivateDevices

By default, a process can see most of the devices in /dev and interact with these devices. The PrivateDevices unit setting in systemd restricts the list of devices. Only pseudo-devices such as /dev/null are made available to the process.

Generic advice

For most systemd units the setting PrivateDevices=yes can be safely used.

Testing

To see how this setting impacts a process, consider using the systemd-run command.

systemd-run --pty --property=PrivateDevices=yes ls -l /dev
total 0
drwxr-xr-x 2 root root  180 nov 15 10:03 char
lrwxrwxrwx 1 root root   11 nov 15 10:03 core -> /proc/kcore
lrwxrwxrwx 1 root root   13 nov 15 10:03 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 nov 15 10:03 full
drwxr-xr-x 3 root root    0 sep  3 09:52 hugepages
lrwxrwxrwx 1 root root   28 nov 15 10:03 log -> /run/systemd/journal/dev-log
drwxrwxrwt 2 root root   40 sep  3 09:51 mqueue
crw-rw-rw- 1 root root 1, 3 nov 15 10:03 null
crw-rw-rw- 1 root root 5, 2 nov 15 10:03 ptmx
drwxr-xr-x 2 root root    0 sep  3 09:51 pts
crw-rw-rw- 1 root root 1, 8 nov 15 10:03 random
drwxrwxrwt 4 root root  280 nov 15 10:03 shm
lrwxrwxrwx 1 root root   15 nov 15 10:03 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 nov 15 10:03 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 nov 15 10:03 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 nov 15 10:03 tty
crw-rw-rw- 1 root root 1, 9 nov 15 10:03 urandom
crw-rw-rw- 1 root root 1, 5 nov 15 10:03 zero

In the output only the new pseudo-devices will be shown now.

Values

This setting expects a boolean (yes or no).

  • no: normal access to devices in /dev - default
  • yes: restrict access to pseudo-devices such as /dev/null, /dev/random, /dev/urandom, and /dev/zero

Example to show the current value of PrivateDevices for the dmesg service:

systemctl show --property=PrivateDevices dmesg.service

Related hardening profiles

The systemd unit setting PrivateDevices is used in the following hardening profiles.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon