From 90060676c442604780634c0a993e3f9c3733f8e6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 22 Feb 2014 02:47:29 +0100 Subject: cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes --- man/systemd.resource-control.xml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) (limited to 'man/systemd.resource-control.xml') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index fcfe861256..0ee983b1c3 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -247,17 +247,31 @@ along with systemd; If not, see . Control access to specific device nodes by the executed processes. Takes two space-separated strings: a - device node path (such as /dev/null) - followed by a combination of r, - w, m to control + device node specifier followed by a combination of + r, w, + m to control reading, writing, - or creation of the specific device node by the unit + or creation of the specific device node(s) by the unit (mknod), respectively. This controls the devices.allow and devices.deny control group - attributes. For details about these control group attributes, - see devices.txt. + + The device node specifier is either a path to a device + node in the file system, starting with + /dev/, or a string starting with either + char- or block- + followed by a device group name, as listed in + /proc/devices. The latter is useful to + whitelist all current and future devices belonging to a + specific device group at once. Examples: + /dev/sda5 is a path to a device node, + referring to an ATA or SCSI block + device. char-pts and + char-alsa are specifiers for all pseudo + TTYs and all ALSA sound devices, respectively. -- cgit v1.2.3-54-g00ecf