summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-22 02:47:29 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-22 03:05:34 +0100
commit90060676c442604780634c0a993e3f9c3733f8e6 (patch)
treeb9a4ea6ffee5bcffdf63f3034f7c460f5559c30f /man
parent1620510ada018f1e1f0be114714826f6698501f2 (diff)
cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes
Diffstat (limited to 'man')
-rw-r--r--man/systemd.resource-control.xml26
1 files changed, 20 insertions, 6 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index fcfe861256..0ee983b1c3 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -247,17 +247,31 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
<listitem>
<para>Control access to specific device nodes by the
executed processes. Takes two space-separated strings: a
- device node path (such as <filename>/dev/null</filename>)
- followed by a combination of <constant>r</constant>,
- <constant>w</constant>, <constant>m</constant> to control
+ device node specifier followed by a combination of
+ <constant>r</constant>, <constant>w</constant>,
+ <constant>m</constant> to control
<emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting,
- or creation of the specific device node by the unit
+ or creation of the specific device node(s) by the unit
(<emphasis>m</emphasis>knod), respectively. This controls
the <literal>devices.allow</literal> and
<literal>devices.deny</literal> control group
- attributes. For details about these control group attributes,
- see <ulink
+ attributes. For details about these control group
+ attributes, see <ulink
url="https://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para>
+
+ <para>The device node specifier is either a path to a device
+ node in the file system, starting with
+ <filename>/dev/</filename>, or a string starting with either
+ <literal>char-</literal> or <literal>block-</literal>
+ followed by a device group name, as listed in
+ <filename>/proc/devices</filename>. The latter is useful to
+ whitelist all current and future devices belonging to a
+ specific device group at once. Examples:
+ <filename>/dev/sda5</filename> is a path to a device node,
+ referring to an ATA or SCSI block
+ device. <literal>char-pts</literal> and
+ <literal>char-alsa</literal> are specifiers for all pseudo
+ TTYs and all ALSA sound devices, respectively.</para>
</listitem>
</varlistentry>