8.9.3 Restricting Access to Devices

Define a cgroup that denies access to the disk devices /dev/sd[bcd].

mount {
    devices = /cgroup/devlist;
}

group blkdev {
    devices {
#       Deny access to /dev/sdb
        devices.deny="b 8:16 mrw"; 
#       Deny access to /dev/sdc
        devices.deny="b 8:32 mrw"; 
#       Deny access to /dev/sdd
        devices.deny="b 8:48 mrw"; 
    }
}