workarounding kern.securelevel

[xibo]

This is what I recorded in the jail (which has mount.devfs set):

# sysctl kern.securelevel
kern.securelevel: 3
# dd if=/dev/zero of=/dev/da0
dd: /dev/da0: Operation not permitted
# gpart destroy -F da0
da0 destroyed
#

From outside the jail, I can see da0 (a USB flash memory device for testing) was indeed destroyed. Is there a way to prevent gpart from writing to media (other than writing a devfs rule file for the jail)? And also, what kind of other (to gpart) ways are there to workaround kern.securelevel?

 

[ta0kira]

Maybe the USB mass-storage driver doesn't check kern.securelevel, which I assume the drivers for "proper" drives do. Disks are character devices and you need to be able to open some character devices even at a high kern.securelevel, so flash drives might have fallen through the cracks.

Kevin Barry

 

[xibo]

Indeed, I need to open at least some pseudoterminals which are character devices. However, using gpart I can write on HDDs with mounted partitions on them (haven't tried deleting the partition table so far, but I can modify the "active" attribute).

 

[Uniballer]

Please file an SPR.