3.5. devices

The devices subsystem allows or denies access to devices by tasks in a cgroup.

Important

The Device Whitelist (devices) subsystem is considered to be a Technology Preview in Red Hat Enterprise Linux 6.
Technology Preview features are currently not supported under Red Hat Enterprise Linux 6 subscription services, might not be functionally complete and are generally not suitable for production use. However, Red Hat includes these features in the operating system as a customer convenience and to increase the features' exposure. You might find these features useful in a non-production environment and are also welcome to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported.
devices.allow
specifies devices to which tasks in a cgroup have access. Each entry has four fields: type, major, minor, and access. The values used in the type, major, and minor fields correspond to device types and node numbers specified in Linux Allocated Devices, otherwise known as the Linux Devices List and available from http://www.kernel.org/doc/Documentation/devices.txt.
type
type can have one of the following three values:
  • a — applies to all devices, both character devices and block devices
  • b — specifies a block device
  • c — specifies a character device
major, minor
major and minor are device node numbers specified by Linux Allocated Devices. The major and minor numbers are separated by a colon. For example, 8 is the major number that specifies Small Computer System Interface (SCSI) disk drives, and the minor number 1 specifies the first partition on the first SCSI disk drive; therefore 8:1 fully specifies this partition, corresponding to a file system location of /dev/sda1.
* can stand for all major or all minor device nodes, for example 9:* (all RAID devices) or *:* (all devices).
access
access is a sequence of one or more of the following letters:
  • r — allows tasks to read from the specified device
  • w — allows tasks to write to the specified device
  • m — allows tasks to create device files that do not yet exist
For example, when access is specified as r, tasks can only read from the specified device, but when access is specified as rw, tasks can read from and write to the device.
devices.deny
specifies devices that tasks in a cgroup cannot access. The syntax of entries is identical with devices.allow.
devices.list
reports the devices for which access controls have been set for tasks in this cgroup.