On Feb 3, Dr. Lex Wennmacher wrote
> The intention to make /dev immutable is not to disable creation of devices
> elsewhere, but to protect your devices from being rm'ed by a malicious hacker.
> One could disable device creation by checking securitylevel in mknod(2), but
> that does not seem to make much sense to me (the devices aready present in /dev
> can always be used). Once you're running at security level 2, disks, /dev/mem,
> /dev/kmem (well, also /hackerdev/mem in that respect) are read-only, so what is
> your concern?

They can still be read. And I'm not sure some overflow in the kernel couldn't
be used to write kernel memory (or execute arbitrary code). So I erase any
device I don't use, and I don't want somebody to be able to recreate
them. But this is a bit beyond the scope of your proposal, I agree.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--