Subject: Re: disklabel(8) and machdep on-disk structures issues
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 10/30/2003 19:41:01
On Fri, Oct 31, 2003 at 12:25:07AM +0000, David Laight wrote:
>
> I think that disklabel(8) ought to be able to write the label in all
> formats on any format without requiring any kernel code. It should
> probably overwrite any old label by default as well.
> Then the kernel can be changed to play 'hunt the disklabel' for reading
> and have the code that writes labels removed entirely.
> (The 'write label' code would need to be in (say) libutil, so other
> programs can use it.)
I'm concerned that removing all knowledge of the disklabel structure from
the kernel will ultimately result in a situation in which it's impossible
to enforce the restrictions on partition access used to protect the TCB
when running at securelevel > 0.
In fact, I tend to think that _all_ disklabel access should be mediated by
the kernel, using a suitably abstracted interface, and that access to the
label sectors should be explicitly forbidden to all userland programs. I
have seen various proposals for alternate schemes but I have never seen
one (the present scheme included) which protects the integrity of the
partitioning information even against a rogue process operating with root
privileges -- and if you can't trust the partitioning information, the rest
of the integrity guarantees are pretty much shot to hell as well.
Thor