Hello, I believe i have stumbled upon a documentation inconsistency concerning securelevels and usage of /dev/io >From init(8) manpage 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, /dev/kmem and /dev/io (if your platform has it) may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded. Note the "may not be opened for writing". It is correct for /dev/mem and /dev/kmem but incorrect for /dev/io as the following experiment shows: 3:40pm ~ # sysctl kern.securelevel kern.securelevel: 1 root_at_mybox 3:40pm ~ # head /dev/io head: /dev/io: Operation not permitted root_at_mybox 3:40pm ~ # Now the source code in /usr/src/sys/i386/i386/io.c just checks if securelevel is greater that 0 when opening the device and return accordingly. However from io(4) Note that even read-only access will grant the full I/O privileges. Which means that changing the code to check if the device is opened O_RDONLY and then allowing access would be a mistake cancelling the idea of blocking access to the device through usage of the securelevel. I am correct about the above ? Does the documentation need a correction in that place? Thanks, alexReceived on Wed Jul 12 2006 - 10:47:44 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC