devicessubsystem allows or denies access to devices by tasks in a cgroup.
The Device Whitelist (
devices) subsystem is considered to be a Technology Preview in Red Hat Enterprise Linux 6.
Technology Preview features are currently not supported under Red Hat Enterprise Linux 6 subscription services, might not be functionally complete and are generally not suitable for production use. However, Red Hat includes these features in the operating system as a customer convenience and to increase the features' exposure. You might find these features useful in a non-production environment and are also welcome to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported.
- specifies devices to which tasks in a cgroup have access. Each entry has four fields: type, major, minor, and access. The values used in the type, major, and minor fields correspond to device types and node numbers specified in Linux Allocated Devices, otherwise known as the Linux Devices List and available from https://www.kernel.org/doc/html/v4.11/admin-guide/devices.html.
- type can have one of the following three values:
a— applies to all devices, both character devices and block devices
b— specifies a block device
c— specifies a character device
- major, minor
- major and minor are device node numbers specified by Linux Allocated Devices. The major and minor numbers are separated by a colon. For example,
8is the major number that specifies Small Computer System Interface (SCSI) disk drives, and the minor number
1specifies the first partition on the first SCSI disk drive; therefore
8:1fully specifies this partition, corresponding to a file system location of
*can stand for all major or all minor device nodes, for example
9:*(all RAID devices) or
- access is a sequence of one or more of the following letters:
For example, when access is specified as
r— allows tasks to read from the specified device
w— allows tasks to write to the specified device
m— allows tasks to create device files that do not yet exist
r, tasks can only read from the specified device, but when access is specified as
rw, tasks can read from and write to the device.
- specifies devices that tasks in a cgroup cannot access. The syntax of entries is identical with
- reports the devices for which access controls have been set for tasks in this cgroup.