devices.allow
specifies devices to which tasks in a cgroup have access. Each entry has four fields:type,major, minor, and access. The values used in the type, major, and minor fields correspondto device types and node numbers specified in Linux Allocated Devices,
type
type can have one of the following three values:
a — applies to all devices, both character devices and block devices
b — specifies a block device
c — specifies a character device
major, minor
major and minor are device node numbers specified by Linux Allocated Devices. The major and minor numbers are separated by a colon. For example, 8 is the major
number that specifies SCSI disk drives, and the minor number 1 specifies the first partition on the first SCSI disk drive; therefore 8:1 fully specifies this partition,corresponding to a file system location of /dev/sda1.
* can stand for all major or all minor device nodes, for example 9:* (all RAID devices) or * :* (all devices).
access
access is a sequence of one or more of the following letters:
r — allows tasks to read from the specified device
w — allows tasks to write to the specified device
m — allows tasks to create device files that do not yet exist
For example, when access is specified as r, tasks can only read from the specified device, but when access is specified as rw, tasks can read from and write to the device.
devices.deny
specifies devices that tasks in a cgroup cannot access. T he syntax of entries is identical with devices.allow.
在/devices/cgroup 目录下创建目录 first,并设置禁止设备读:
root@ubuntu:/sys/fs/cgroup/devices# mkdir first
root@ubuntu:/sys/fs/cgroup/devices/first# echo "a 1:5 r" > devices.deny
在另外一个终端中设置:
root@ubuntu:~# cgexec -g devices:first dd if=/dev/zero of=zero bs=1M count=128 &
可见提示如下:
[1] 8973
root@ubuntu:~# dd: 正在打开"/dev/zero": 不允许的操作