Subject: Re: FreeBSD 5/6/7 kernel emulator for NetBSD 2.x
To: Jason Thorpe <>
From: Steven M. Bellovin <>
List: tech-kern
Date: 10/28/2005 16:01:56
In message <>, Jason Thorpe 
>On Oct 28, 2005, at 7:44 AM, Thor Lancelot Simon wrote:
>> And what are we then supposed to do on another class of "modern  
>> systems",
>> embedded systems which are required to have certain elements of their
>> configurations static for security reasons (or in order to obtain  
>> certain
>> security certifications)?  I commonly mount all read-write filesystems
>> nodev, and mount all filesystems containing devices read-only, so  
>> that I
>> can be *guaranteed* that no new device nodes will be available to user
>> processes no matter what else changes.
>And you will still be able to do that.  Who says the devfs can't be  
>mounted read-only?  Who says "nodev" won't continue to work on  
>regular file systems?  No one has made any such claim.

Will it still be possible to create devices inodes by major/minor 

I was wondering about a chrooted application -- it needs some devices
(/dev/null is the obvious example), but I would not want it to have all 
of devfs.  (I also want to ensure that it can't mount it....)

		--Steven M. Bellovin,