Subject: Re: representation of persistent device status, was Re: devfs, was Re: ptyfs...
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Eric Haszlakiewicz <erh@jodi.nimenees.com>
List: tech-kern
Date: 11/30/2004 15:13:15
On Tue, Nov 30, 2004 at 01:52:28PM -0500, Thor Lancelot Simon wrote:
> Now, security level 2 forbids *all* new mounts; I did this long ago as
> a very crude hack to allow me to not worry about new mounts of MFS
> filesystems without nodev and noexec.  However, that _is not and should
> not be_ necessary just to actually have nodev semantics enforced, and
> in fact one project I worked on simply added a small number of lines to
> the kernel to enforce the "writable means nodev" policy.
> 
> With devfs, with the nodes-and-permissions structure parsed by userland
> and fed to the kernel in-memory so it cannot know its provenance, it is
> essentially the case that nodev is meaningless against even a moderately
> sophisticated attacker.  And that means that the kernel has to parse the
> file, so that it can know that it did not come from a nodev filesystem;
> or we have to just punt on nodev semantics entirely.

	I don't think this is true.  If you intention is to prevent any new devices
then all you have to do is disable the mounting of new devfs filesystems.
This can be a flag that devfs checks (like securelevel = 2 but only for devfs):
sysctl -w vfs.devfs.prevent_new_mounts=1
and don't allow that to be cleared.
In this scheme, ALL filesystems are automatically nodev and once the flag is set
you can't have a new devfs, so no new devices are possible.

eric