Comment # 14 on bug 1232044 from Johannes Segitz
yes, that's what I figured out by now. I always assumed that 
  DevicePolicy=closed
  DeviceAllow=/dev/sda rw
would result in other devices not being available, similarly to
PrivateDevices=true.

But they're just not writeable. That confused me when I created a reverse shell
from a service to be able to inspect it.

PrivateDevices=true must not be used in conjunction with the other options, as
it's intended as a one-stop flag for services that don't need any devices.

So the settings in c10 are the correct settings


You are receiving this mail because: