DeviceAllow setting
This systemd unit setting was added since systemd 208.
Purpose: define level of access to devices in /dev
Why and when to use DeviceAllow
The setting DeviceAllow aims to reduce access or its level to devices in /dev. By default, there is no limitation to access devices.
Settings
Define DeviceAllow with the path and access level.
DeviceAllow=/dev/sda3 r
General advice
For most services it might be easier to use ProtectDevices=yes to reduce the devices that can be access.