docs/systemd: describe device rules

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

docs/systemd.md

@@ -104,6 +104,27 @@ The following tables summarize which properties are translated.
 For documentation on systemd unit resource properties, see
 `systemd.resource-control(5)` man page.
 
+### Device access rules
+
+Runc translates device access rules from the runtime spec to systemd properties
+(`DevicePolicy` and `DeviceAllow`). Not all rules and rulesets are supported.
+For example, the following can not be translated:
+ - blacklist-style rulesets;
+ - major-wildcard rules (meaning "all devices with the given minor number").
+
+NOTE that systemd v240 or later is highly recommended, since older versions
+have limited ways to interpret `DeviceAllow` rules. When using systemd older
+than v240, the following limitations exist:
+
+ - it is not possible to add a rule for a device that does not have an
+   equivalent `/dev/{char,block}/<MAJOR>:<minor>` file on the host
+   (for example, this is the case for NVidia devices);
+ - adding a wildcard rule with the set major number and the unset minor number
+   (meaning "all devices with the given major number") results in adding a set
+   of individual rules for existing devices with the given major number,
+   meaning that any devices that will appear after the container start won't
+   be accessible.
+
 ### Auxiliary properties
 
 Auxiliary properties of a systemd unit (as shown by `systemctl show