First of all, according to docs, `DeviceAllow` syntax is somewhat different from what you have. Second, you might want to check `DevicePolicy`, as now your unit has access not only to `/dev/zero`, but also to four other devices.
And hm, I thought, those directives control access to device nodes. Why are you expecting them to limit access to the filesystem? -- Кирилл Елагин On Wed, Jun 4, 2014 at 10:18 AM, Mohit Agrawal <[email protected]> wrote: > Hi, > > I want to block the device through the systemd cgroup so I have created a > below unit file > > [Unit] > Description=mydevblock > [Service] > DeviceAllow=/dev/zero > ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M count=40 > Restart=always > [Install] > WantedBy=multi-user.target > > > As per my understanding in this unit file I have allowed only /dev/zero > device so dd command should not create the file_1 successfully it should > give the error . > > systemctl start mydevblock.service > > Below is the status after start the service and file_1 is successfully > created > > [host-name ~]# systemctl status mydevblock.service > ● mydev.service - mydevblock > Loaded: loaded (/etc/systemd/system/mydev.service; disabled) > Active: failed (Result: start-limit) since Wed 2014-06-04 11:32:24 IST; > 831ms ago > Process: 27800 ExecStart=/usr/bin/dd if=/dev/zero of=/root/file_1 bs=1M > count=40 (code=exited, status=0/SUCCESS) > Main PID: 27800 (code=exited, status=0/SUCCESS) > > Jun 04 11:32:24 <host-name> systemd[1]: mydev.service holdoff time over, > scheduling restart. > Jun 04 11:32:24 <host-name> systemd[1]: Stopping mydevblock... > Jun 04 11:32:24 <host-name> systemd[1]: Starting mydevblock... > Jun 04 11:32:24 <host-name> sytemd[1]: mydev.service start request > repeated too quickly, refusing to start. > Jun 04 11:32:24 <host-name> systemd[1]: Failed to start mydevblock. > Jun 04 11:32:24 <host-name> systemd[1]: Unit mydev.service entered failed > state. > > [host-name> ~]# ls -lrt > -rw-r--r--. 1 root root 41943040 Jun 4 11:32 file_1 > > > Can someone reply why file_1 is created successfully? > Do anyone have idea how can i put the restriction on device? > Appreciate your inputs on this. > > > Regards > Mohit Agrawal > _______________________________________________ > systemd-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/systemd-devel >
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
