On 5/20/07, Mikael Nystr=F6m <micke@samladtrupp.se> wrote:
> Hi.
>
> I have a question about how to use a read only root filesystem. I'm
> currently working on a setup that is going to use a read-only root
> filesystem and kern.securelevel set to 2. I tried booting once with
> this setup and realized that I need to mount everything before I set
> securelevel to 2 (not in rc.conf in other words).
>
> I have other partitions that are mounted read-write so every file
> that needs to be updated regulary resides on these partitions
> (actually softlinks for motd/resolv.conf etc), but how about /dev?
> Don't I need it to be read-write? I guess it's not so smart to make
> it a separate partition since it will probably break stuff while
> booting ...
>
> Is there a good document to read about necessary steps for a read
> only root filesystem?

There are some hints on tech-embed for this sort of thing.  Although
they are mostly for a different purpose and will recommend using
memory filesystems.

Maybe you could use veriexec and protect all the files except those
that need to get written regularly.