Subject: Re: representation of persistent device status, was Re: devfs, was Re: ptyfs...
To: None <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 11/30/2004 09:17:00
On Tue, Nov 30, 2004 at 09:50:00AM +0100, Ignatios Souvatzis wrote:
> How is a non-writable,non-remountable static /dev different from
> a non-writable, system immutable devfs configuration file?
I can think of a number of ways. Here are some examples:
1) A whole lot of new and potentially buggy (certainly, highly complex)
code is in the trusted path. I don't like that and I doubt Jonathan
2) Typically, my hardened systems run with all writable filesystems mounted
nodev. Let me just venture to guess that if I weren't pointing it out
right now, nobody would bother to think that devfs must refuse to mount
if its configuration file were on a nodev filesystem.
3) Enforcing the restriction necessary due to #2 means that the file
parser *must* be in the kernel (think about it: you *cannot* allow
a userland program to feed you a devfs config structure from RAM,
or there is no point to ever trying to mount anything nodev; the
kernel *must* read the config file itself so it can know where it
is stored and check for nodev). That means quite a bit of complicated
code in the kernel (including a parser, and code to read files from
the filesystem, which AFAIK only LFS does right now, and that only
for the ifile) and all of this code seems likely prone to bugs which
could have significant security implications. That's particularly
scary to me.