Blocking the access to the device files.

Prasad Joshi prasadjoshi124 at gmail.com
Wed Dec 29 18:32:18 EST 2010 

On Wed, Dec 29, 2010 at 4:12 PM, Mulyadi Santosa
<mulyadi.santosa at gmail.com> wrote:
> On Wed, Dec 29, 2010 at 20:06, Prasad Joshi <prasadjoshi124 at gmail.com> wrote:
>> Hello All,
>>
>> ZFS file system has a property called devices. If turned off, ZFS
>> would not allow access to the device files (block/character) present
>> on the file system. I want to implement the same behavior on the a
>> Linux File System.
>
> I don't know about ZFS, so could you please elaborate on what you mean
> by "ZFS could disallow access"?

I am really sorry that I was not clear with the first mail. Thanks a
lot for all mail replies and for sharing important information.
By not disallowing access to device files I ment

root at prasad-laptop:~# mount disk -o loop arm/

root at prasad-laptop:~/arm# mount -t ext3
/dev/loop0 on /home/prasad/arm type ext3 (rw)

############# CREATING A DEVICE FILE ON THE FILE SYSTEM
root at prasad-laptop:~/arm# mknod zero c 1 5

root at prasad-laptop:~/arm# ls
lost+found  zero

root at prasad-laptop:~/arm# ls -l
total 12
drwx------ 2 root root 12288 2010-12-23 11:28 lost+found
crw-r--r-- 1 root root  1, 5 2010-12-23 11:28 zero

root at prasad-laptop:~/arm# dd if=zero of=disk bs=10K count=10K
dd: writing `disk': No space left on device
9313+0 records in
9312+0 records out
95354880 bytes (95 MB) copied, 1.00106 s, 95.3 MB/s

root at prasad-laptop:~/arm# ls -l
total 93499
-rw-r--r-- 1 root root 95354880 2010-12-23 11:28 disk
drwx------ 2 root root    12288 2010-12-23 11:28 lost+found
crw-r--r-- 1 root root     1, 5 2010-12-23 11:28 zero

Here the file system allowed access to the device file named zero. The
requirement is to turn off the access to all of the device files
present on the mounted file system. ie. considering the above case
access (open/read/write) to/from device zero should not be allowed
(even by root user). I don't know why would one create a device file
on a file system other than /dev.

I could modify the open code to check if the file the file being
opened is device file then return either EPERM or EACCESS (not sure
which one). But before modifying the code I thought of checking mount
flags, could not find one, hence thought of asking on mailing list.

Thanks a lot for wonderful replies and sharing valuable information.
Hope the example above has made the requirement clear.

Thanks and Regards,
Prasad
>
> IMHO, (untested), you could simply do it using usual Linux
> file/directory permission up to SELinux/AppArmor....so, is that what
> you mean?
>
> --
> regards,
>
> Mulyadi Santosa
> Freelance Linux trainer and consultant
>
> blog: the-hydra.blogspot.com
> training: mulyaditraining.blogspot.com
>

More information about the Kernelnewbies mailing list