On Tue, Mar 09, 2010 at 08:45:09PM +0100, Joerg Sonnenberger wrote: > On Tue, Mar 09, 2010 at 02:23:13PM -0500, Thor Lancelot Simon wrote: > > I want to be able to tell the kernel to mount a device reliably identified > > by some kind of unique, symbolic name. I want to be able to load a list > > of permissible such names into the kernel while it's running insecure, and > > restrict mounting to those and only those when it's running secure. > > I don't get it. What kind of devices are you talking about? If the > environment is static, you can still use the same identifier as before.
When you say "the same identifier as before" what exactly do you mean? > If it is not, why do you believe that the device you are dealing with is > the one you hoped it is? That's a matter for the kernel to decide -- not one for some userspace program which could be tampered with by any process running with euid 0. At least, that is how I would strongly prefer it to be. Thor
