From owner-freebsd-stable@freebsd.org Tue Jul 7 18:35:41 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F7E5994620 for ; Tue, 7 Jul 2015 18:35:41 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 15358145B for ; Tue, 7 Jul 2015 18:35:40 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t67IZe7L013973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Jul 2015 11:35:40 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t67IZdct013972; Tue, 7 Jul 2015 11:35:39 -0700 (PDT) (envelope-from jmg) Date: Tue, 7 Jul 2015 11:35:39 -0700 From: John-Mark Gurney To: Todor Todorov Cc: freebsd-stable@freebsd.org Subject: Re: 9.X+ && securelevel=2 && S.M.A.R.T.? Message-ID: <20150707183539.GF8523@funkthat.com> References: <55962291.40507@paladin.bulgarpress.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55962291.40507@paladin.bulgarpress.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 07 Jul 2015 11:35:40 -0700 (PDT) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 18:35:41 -0000 Todor Todorov wrote this message on Fri, Jul 03, 2015 at 08:50 +0300: > I know it's not a new topic but still did not find a proper solution. > > As all know starting from 9.X branch the disk access is changed and > using securelevel=2 breaks the smartmontools to get disk health status. > > Is there a way to keep both security and functionality as in previous > releases? > > Any ideas, articles, guides? Per the securelevel man page: 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. smartmontools uses a special passthrough mode of the disk to send custom commands to the disk... If the passthrough mode is allowed in this level, then smartmontools could write to the disk violating the guarantee that disks may not be written to in multiuser mode... This is probably a result of the switch from the old ata framework to now where ata is part of the cam framework... I'd say that the fact smartmontools worked pre 9.x is a bug... You might want to look at the MAC framework[1] where you can have finer grained control of what is allowed and disallowed on your system if you care this much about security... [1] https://www.freebsd.org/doc/handbook/mac.html -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."