Subject: Re: FreeBSD 5/6/7 kernel emulator for NetBSD 2.x
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Eric Haszlakiewicz <erh@jodi.nimenees.com>
List: tech-kern
Date: 10/28/2005 12:32:56
On Fri, Oct 28, 2005 at 10:44:08AM -0400, Thor Lancelot Simon wrote:
> And what are we then supposed to do on another class of "modern systems",
> embedded systems which are required to have certain elements of their
> configurations static for security reasons (or in order to obtain certain
> security certifications)? I commonly mount all read-write filesystems
> nodev, and mount all filesystems containing devices read-only, so that I
> can be *guaranteed* that no new device nodes will be available to user
> processes no matter what else changes.
So then mount the devfs read-only! What's wrong with that? Depending
on how it gets configured, whether at mount time or through a separate
step after it is mounted, you might have to mount it rw, then update it to
ro, but the "configuration" ** for the devfs stays static. Bump the security
level so you can't change the mounted filesystems and you're all set.
eric
** "configuration" being whatever method is used to store the devfs settings
on disk. e.g. currently that is a directory format file (aka /dev),
but a text file can contain the same logical information.