In message <D8F0C8E3-2698-4AF9-9DEF-85B68C6C54C5@shagadelic.org>, Jason Thorpe 
writes:
>
>On Oct 28, 2005, at 7:44 AM, Thor Lancelot Simon wrote:
>
>> And what are we then supposed to do on another class of "modern  
>> systems",
>> embedded systems which are required to have certain elements of their
>> configurations static for security reasons (or in order to obtain  
>> certain
>> security certifications)?  I commonly mount all read-write filesystems
>> nodev, and mount all filesystems containing devices read-only, so  
>> that I
>> can be *guaranteed* that no new device nodes will be available to user
>> processes no matter what else changes.
>
>And you will still be able to do that.  Who says the devfs can't be  
>mounted read-only?  Who says "nodev" won't continue to work on  
>regular file systems?  No one has made any such claim.
>

Will it still be possible to create devices inodes by major/minor 
number?

I was wondering about a chrooted application -- it needs some devices
(/dev/null is the obvious example), but I would not want it to have all 
of devfs.  (I also want to ensure that it can't mount it....)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb