Subject: Re: new kpi proposal, sysdisk(9)
To: Bill Studenmund <wrstuden@netbsd.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 12/30/2006 01:17:21
Bill Studenmund wrote:

> We already have (or had, I haven't looked recently) code to ensure that 
> you don't open overlapping partitions. Combined with the whole-disk 
> partition, that lets us effectively merge the two (there is something you 
> open that is the whole disk).

please take a look at where that code is located (per-arch) and ensure
it works as advertised. if you manage doing that, for all netbsd ports,
and then for wedges, you'll have to take care of issues such as
sending an ioctl to an open "partition" that will apply to the whole
disk.

will you look into it and get back to the list with the results?

> The reason you wanted this change (that we would not otherwise know they 
> are in use) applies equally here too; right now we would have no direct 
> method to determine they were in use (note I said direct. Yes, you could 
> look at swap and RAIDFrame device usage, but that's not the point :-).

I'm afraid you're wrong here too. the reason I wanted this change is so
that we can tell that if someone accesses /dev/rwd0b, that while this
may be the block device for the inactive swap partition, it's really the
same physical disk as /dev/wd0a, our root fs, and where /etc is.

I think I made it quite clear when I normalized all devices to be char,
then compared their major device and DISKUNIT().

> Likewise, the fact that part of the above-mentioned disk is open for swap 
> does not (or should not) preclude a different part of the disk being 
> opened for mounting or raid or whatever.

let me just quote my original mail:

	original motivation is raw disk access policy enforcement in
	securelevel. currently, only disks that are mounted are denied
	raw disk access when the system is 'secure'. devices used for
	swap, for example, are not considered mounted even though they
	are just as important.

I thought that was pretty clear, but I'll go further and explain. what
I want to do is NOT prevent using /dev/wd0b for swap if /dev/wd0a is
mounted -- that is, in fact, the layout I use, as I said in my example
in the previous mail -- but rather prevent opening /dev/rwd0b for raw
writing, that is:

	open("/dev/rwd0b", O_RDWR, 0);

*because* /dev/wd0a is mounted. the reason? see above: we *can't*
reliably distinguish between the two, and sometimes that is is not even
something we can do anything about.

-e.