Re: (Semi-random) thoughts on device tree structure and devfs

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Mar 9, 2010, at 2:55 PM, Thor Lancelot Simon wrote:

> On Tue, Mar 09, 2010 at 08:45:09PM +0100, Joerg Sonnenberger wrote:
>> On Tue, Mar 09, 2010 at 02:23:13PM -0500, Thor Lancelot Simon wrote:
>>> I want to be able to tell the kernel to mount a device reliably identified
>>> by some kind of unique, symbolic name.  I want to be able to load a list
>>> of permissible such names into the kernel while it's running insecure, and
>>> restrict mounting to those and only those when it's running secure.
>> 
>> I don't get it. What kind of devices are you talking about? If the
>> environment is static, you can still use the same identifier as before.
> 
> When you say "the same identifier as before" what exactly do you mean?
> 
>> If it is not, why do you believe that the device you are dealing with is
>> the one you hoped it is?
> 
> That's a matter for the kernel to decide -- not one for some userspace
> program which could be tampered with by any process running with euid 0.
> 
> At least, that is how I would strongly prefer it to be.

But what's to stop someone from mounting a new file system over /bin?  Or are 
you talking about secure_level 2?

                --Steve Bellovin, http://www.cs.columbia.edu/~smb