PrivateDevices setting
The property PrivateDevices is a systemd unit setting used for sandboxing. It is available since systemd 209.
Purpose: only allow access to a subset of devices in /dev
Why and when to use PrivateDevices
By default, a process can see most of the devices in /dev and interact with these devices. The PrivateDevices unit setting in systemd restricts the list of devices. Only pseudo-devices such as /dev/null are made available to the process.
Generic advice
For most systemd units the setting PrivateDevices=yes can be safely used.
Testing
To see how this setting impacts a process, consider using the systemd-run command.
systemd-run --pty --property=PrivateDevices=yes ls -l /dev
total 0
drwxr-xr-x 2 root root 180 nov 15 10:03 char
lrwxrwxrwx 1 root root 11 nov 15 10:03 core -> /proc/kcore
lrwxrwxrwx 1 root root 13 nov 15 10:03 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 nov 15 10:03 full
drwxr-xr-x 3 root root 0 sep 3 09:52 hugepages
lrwxrwxrwx 1 root root 28 nov 15 10:03 log -> /run/systemd/journal/dev-log
drwxrwxrwt 2 root root 40 sep 3 09:51 mqueue
crw-rw-rw- 1 root root 1, 3 nov 15 10:03 null
crw-rw-rw- 1 root root 5, 2 nov 15 10:03 ptmx
drwxr-xr-x 2 root root 0 sep 3 09:51 pts
crw-rw-rw- 1 root root 1, 8 nov 15 10:03 random
drwxrwxrwt 4 root root 280 nov 15 10:03 shm
lrwxrwxrwx 1 root root 15 nov 15 10:03 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 nov 15 10:03 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 nov 15 10:03 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 nov 15 10:03 tty
crw-rw-rw- 1 root root 1, 9 nov 15 10:03 urandom
crw-rw-rw- 1 root root 1, 5 nov 15 10:03 zero
In the output only the new pseudo-devices will be shown now.
Values
Systemd unit setting PrivateDevices expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | normal access to devices in /dev - default | |
yes | restrict access to pseudo-devices such as /dev/null, /dev/random, /dev/urandom, and /dev/zero |
Example to show the current value of PrivateDevices for the ssh service:
systemctl show --property=PrivateDevices ssh.serviceRelated hardening profiles
The systemd unit setting PrivateDevices is used in the following hardening profiles.