Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Jul 2015 11:35:39 -0700
From:      John-Mark Gurney <jmg@funkthat.com>
To:        Todor Todorov <todorov@paladin.bulgarpress.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: 9.X+ && securelevel=2 && S.M.A.R.T.?
Message-ID:  <20150707183539.GF8523@funkthat.com>
In-Reply-To: <55962291.40507@paladin.bulgarpress.com>
References:  <55962291.40507@paladin.bulgarpress.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Todor Todorov wrote this message on Fri, Jul 03, 2015 at 08:50 +0300:
> I know it's not a new topic but still did not find a proper solution.
> 
> As all know starting from 9.X branch the disk access is changed and
> using securelevel=2 breaks the smartmontools to get disk health status.
> 
> Is there a way to keep both security and functionality as in previous
> releases?
> 
> Any ideas, articles, guides?

Per the securelevel man page:
     2     Highly secure mode - same as secure mode, plus disks may not be
           opened for writing (except by mount(2)) whether mounted or not.

smartmontools uses a special passthrough mode of the disk to send
custom commands to the disk...  If the passthrough mode is allowed in
this level, then smartmontools could write to the disk violating the
guarantee that disks may not be written to in multiuser mode...

This is probably a result of the switch from the old ata framework to
now where ata is part of the cam framework...  I'd say that the fact
smartmontools worked pre 9.x is a bug...

You might want to look at the MAC framework[1] where you can have
finer grained control of what is allowed and disallowed on your system
if you care this much about security...

[1] https://www.freebsd.org/doc/handbook/mac.html

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150707183539.GF8523>