On Tue, Nov 30, 2004 at 09:50:00AM +0100, Ignatios Souvatzis wrote:
>
> How is a non-writable,non-remountable static /dev different from 
> a non-writable, system immutable devfs configuration file?

I can think of a number of ways.  Here are some examples:

1) A whole lot of new and potentially buggy (certainly, highly complex)
   code is in the trusted path.  I don't like that and I doubt Jonathan
   does, either.

2) Typically, my hardened systems run with all writable filesystems mounted
   nodev.  Let me just venture to guess that if I weren't pointing it out
   right now, nobody would bother to think that devfs must refuse to mount
   if its configuration file were on a nodev filesystem.

3) Enforcing the restriction necessary due to #2 means that the file
   parser *must* be in the kernel (think about it: you *cannot* allow
   a userland program to feed you a devfs config structure from RAM,
   or there is no point to ever trying to mount anything nodev; the
   kernel *must* read the config file itself so it can know where it
   is stored and check for nodev).  That means quite a bit of complicated
   code in the kernel (including a parser, and code to read files from
   the filesystem, which AFAIK only LFS does right now, and that only
   for the ifile) and all of this code seems likely prone to bugs which
   could have significant security implications.  That's particularly
   scary to me.

Thor