Hello,
Just out of curiosity, I commented out DeviceAllow=/dev/net/tun rwm in
[email protected] and tried running. A failure was expected, but
it was not.
copy_devnodes() in src/nspawn/nspawn.c executes mknod() on /dev/net/tun,
EPERM is expected because DeviceAllow=/dev/net/tun rwm does no
If 1) service has
[Service]
DevicePolicy=closed
DeviceAllow=char-foobar rw # or "char-*", or "/dev/foobar*"
2) foobar module is not loaded and foobar major is not known to kernel
yet at the moment service started,
3) some time after service was started, foobar module is loaded (e.g.
t
On Mon, 17.12.12 16:50, Juan Orti Alcaine ([email protected]) wrote:
> Hello,
>
> I'm testing some of the security measures described in this post [1], and I'm
> having problems with the DeviceAllow directive.
>
> If I get it right, if I allow one access, all the remaining devices are
>
Hello,
I'm testing some of the security measures described in this post [1], and I'm
having problems with the DeviceAllow directive.
If I get it right, if I allow one access, all the remaining devices are
disallowed. But my tests show otherwise. The man page doesn't talk about this
behavior.
