Este contenido no está disponible en el idioma seleccionado.
3.5. devices
The
devices
subsystem allows or denies access to devices by tasks in a cgroup.
Important
The Device Whitelist (
devices
) subsystem is considered to be a Technology Preview in Red Hat Enterprise Linux 6.
Technology Preview features are currently not supported under Red Hat Enterprise Linux 6 subscription services, might not be functionally complete and are generally not suitable for production use. However, Red Hat includes these features in the operating system as a customer convenience and to increase the features' exposure. You might find these features useful in a non-production environment and are also welcome to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported.
- devices.allow
- specifies devices to which tasks in a cgroup have access. Each entry has four fields: type, major, minor, and access. The values used in the type, major, and minor fields correspond to device types and node numbers specified in Linux Allocated Devices, otherwise known as the Linux Devices List and available from https://www.kernel.org/doc/html/v4.11/admin-guide/devices.html.
- type
- type can have one of the following three values:
a
— applies to all devices, both character devices and block devicesb
— specifies a block devicec
— specifies a character device
- major, minor
- major and minor are device node numbers specified by Linux Allocated Devices. The major and minor numbers are separated by a colon. For example,
8
is the major number that specifies Small Computer System Interface (SCSI) disk drives, and the minor number1
specifies the first partition on the first SCSI disk drive; therefore8:1
fully specifies this partition, corresponding to a file system location of/dev/sda1
.*
can stand for all major or all minor device nodes, for example9:*
(all RAID devices) or*:*
(all devices). - access
- access is a sequence of one or more of the following letters:
r
— allows tasks to read from the specified devicew
— allows tasks to write to the specified devicem
— allows tasks to create device files that do not yet exist
For example, when access is specified asr
, tasks can only read from the specified device, but when access is specified asrw
, tasks can read from and write to the device.
- devices.deny
- specifies devices that tasks in a cgroup cannot access. The syntax of entries is identical with
devices.allow
. - devices.list
- reports the devices for which access controls have been set for tasks in this cgroup.