Subject: Re: new kpi proposal, sysdisk(9)
To: Elad Efrat <elad@NetBSD.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 12/29/2006 22:15:25
--5/uDoXvLw7AC5HRs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Dec 30, 2006 at 01:17:21AM +0200, Elad Efrat wrote:
> Bill Studenmund wrote:
>=20
> > We already have (or had, I haven't looked recently) code to ensure that=
=20
> > you don't open overlapping partitions. Combined with the whole-disk=20
> > partition, that lets us effectively merge the two (there is something y=
ou=20
> > open that is the whole disk).
>=20
> please take a look at where that code is located (per-arch) and ensure
> it works as advertised. if you manage doing that, for all netbsd ports,
> and then for wedges, you'll have to take care of issues such as
> sending an ioctl to an open "partition" that will apply to the whole
> disk.
>=20
> will you look into it and get back to the list with the results?
Wow, do you want me to keep talking with you and working to a solution, or=
=20
to tell you you're an idiot and start yelling? The tone above seems to=20
indicate the latter.
> > The reason you wanted this change (that we would not otherwise know the=
y=20
> > are in use) applies equally here too; right now we would have no direct=
=20
> > method to determine they were in use (note I said direct. Yes, you coul=
d=20
> > look at swap and RAIDFrame device usage, but that's not the point :-).
>=20
> I'm afraid you're wrong here too. the reason I wanted this change is so
> that we can tell that if someone accesses /dev/rwd0b, that while this
> may be the block device for the inactive swap partition, it's really the
> same physical disk as /dev/wd0a, our root fs, and where /etc is.
>=20
> I think I made it quite clear when I normalized all devices to be char,
> then compared their major device and DISKUNIT().
You did make that clear. However I don't understand why you want to limit=
=20
access to the whole disk.
Either raw access to the partition is bounded to within the partition or I=
=20
don't understand something. If it's bounded, and the partition doesn't=20
overlap anything, I don't see what the harm is.
I thus don't see why you want this particular protection method.=20
Everything I think you want to prevent _should_ be handled in other ways.
Also, if what I think you want ISN'T handled right now, I think we have=20
MORE problems than just this. Thus your fix will leave other issues open.=
=20
:-)
> > Likewise, the fact that part of the above-mentioned disk is open for sw=
ap=20
> > does not (or should not) preclude a different part of the disk being=20
> > opened for mounting or raid or whatever.
>=20
> let me just quote my original mail:
>=20
> original motivation is raw disk access policy enforcement in
> securelevel. currently, only disks that are mounted are denied
> raw disk access when the system is 'secure'. devices used for
> swap, for example, are not considered mounted even though they
> are just as important.
>=20
> I thought that was pretty clear, but I'll go further and explain. what
> I want to do is NOT prevent using /dev/wd0b for swap if /dev/wd0a is
> mounted -- that is, in fact, the layout I use, as I said in my example
> in the previous mail -- but rather prevent opening /dev/rwd0b for raw
> writing, that is:
>=20
> open("/dev/rwd0b", O_RDWR, 0);
>=20
> *because* /dev/wd0a is mounted. the reason? see above: we *can't*
> reliably distinguish between the two, and sometimes that is is not even
> something we can do anything about.
I didn't take away the exact meaning you had. My not understanding why you=
=20
want the point you're making lead me to take your meaning to be slightly=20
different (and more sensible in my mind :-).
As above, either we enforce partition boundaries or we don't. If we
enforce boundaries, I don't see the problem with opening disjoint areas.
If we don't enforce boundaries, then we have other problems. For example,=
=20
consider your example but when we booted off of wd1. Thus wd0a isn't=20
mounted. I personally still want something opening rwd0b to not be able to=
=20
touch wd0a, regardless of wd0a's mount state. :-)
Take care,
Bill
--5/uDoXvLw7AC5HRs
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)
iD8DBQFFlgP9Wz+3JHUci9cRArlIAJ9nEA8o4WN1F+3VrjJyt+ga0L19/ACfcR7i
yHHp7F7Ld/LaWNno2I8U9Xc=
=2pWn
-----END PGP SIGNATURE-----
--5/uDoXvLw7AC5HRs--