On 12.01.2023 18:34, Wonko Pfux wrote:
On Thu, Jan 12, 2023 at 05:43:51PM +0300, Andrei Borzenkov wrote:
On Thu, Jan 12, 2023 at 5:28 PM Wonko Pfux <42@wonko.de> wrote:
Is it safe to set PrivateDevices=false
It is just as safe as it was before this change was introduced.
or is there another way?
You may try to add
DeviceAllow=/dev/net/tun
It seems PrivateDevices=true overrides DeviceAllow=/dev/net/tun.
Have you tried it?
So both are nessesary?: PrivateDevices=false DeviceAllow=/dev/net/tun
The systemd Documentation does not state that DeviceAllow means all others are disallowed but: "When access to all physical devices should be disallowed, PrivateDevices= may be used instead"
In the doc for DevicePolicy, which is not set in the service file, it is said that the default (auto) "allows access to all devices if no explicit DeviceAllow= is present"
I have not found docs how ProtectSystem, which is set to full , affects DevicePolicy.
cu Wonko