From 7f112f50fea585411ea2d493b3582bea77eb4d6e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 20 Jan 2014 19:54:51 +0100
Subject: exec: introduce PrivateDevices= switch to provide services with a
 private /dev

Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
---
 man/systemd.exec.xml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'man/systemd.exec.xml')

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 610c821dc0..7eaf52bc5b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -894,6 +894,24 @@
                                 for details.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
+                                process. Defaults to
+                                false.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>MountFlags=</varname></term>
 
-- 
cgit v1.2.3-54-g00ecf