diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-22 02:47:29 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-22 03:05:34 +0100 |
| commit | 90060676c442604780634c0a993e3f9c3733f8e6 (patch) | |
| tree | b9a4ea6ffee5bcffdf63f3034f7c460f5559c30f /man | |
| parent | 1620510ada018f1e1f0be114714826f6698501f2 (diff) | |
cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.resource-control.xml | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index fcfe861256..0ee983b1c3 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -247,17 +247,31 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. <listitem> <para>Control access to specific device nodes by the executed processes. Takes two space-separated strings: a - device node path (such as <filename>/dev/null</filename>) - followed by a combination of <constant>r</constant>, - <constant>w</constant>, <constant>m</constant> to control + device node specifier followed by a combination of + <constant>r</constant>, <constant>w</constant>, + <constant>m</constant> to control <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting, - or creation of the specific device node by the unit + or creation of the specific device node(s) by the unit (<emphasis>m</emphasis>knod), respectively. This controls the <literal>devices.allow</literal> and <literal>devices.deny</literal> control group - attributes. For details about these control group attributes, - see <ulink + attributes. For details about these control group + attributes, see <ulink url="https://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para> + + <para>The device node specifier is either a path to a device + node in the file system, starting with + <filename>/dev/</filename>, or a string starting with either + <literal>char-</literal> or <literal>block-</literal> + followed by a device group name, as listed in + <filename>/proc/devices</filename>. The latter is useful to + whitelist all current and future devices belonging to a + specific device group at once. Examples: + <filename>/dev/sda5</filename> is a path to a device node, + referring to an ATA or SCSI block + device. <literal>char-pts</literal> and + <literal>char-alsa</literal> are specifiers for all pseudo + TTYs and all ALSA sound devices, respectively.</para> </listitem> </varlistentry> |