Blocking the access to the device files.

[hsggebhardt@googlemail.com (Henry Gebhardt)]

On Wed, Dec 29, 2010 at 11:32:18PM +0000, Prasad Joshi wrote:
> On Wed, Dec 29, 2010 at 4:12 PM, Mulyadi Santosa
> <mulyadi.santosa@gmail.com> wrote:
> > On Wed, Dec 29, 2010 at 20:06, Prasad Joshi <prasadjoshi124@gmail.com> wrote:
> >> Hello All,
> >>
> >> ZFS file system has a property called devices. If turned off, ZFS
> >> would not allow access to the device files (block/character) present
> >> on the file system. I want to implement the same behavior on the a
> >> Linux File System.
> >
> > I don't know about ZFS, so could you please elaborate on what you mean
> > by "ZFS could disallow access"?
> 
> I am really sorry that I was not clear with the first mail. Thanks a
> lot for all mail replies and for sharing important information.
> By not disallowing access to device files I ment
> 
> root at prasad-laptop:~# mount disk -o loop arm/
> 
> root at prasad-laptop:~/arm# mount -t ext3
> /dev/loop0 on /home/prasad/arm type ext3 (rw)
> 
> ############# CREATING A DEVICE FILE ON THE FILE SYSTEM
> root at prasad-laptop:~/arm# mknod zero c 1 5
> 
> root at prasad-laptop:~/arm# ls
> lost+found  zero
> 
> root at prasad-laptop:~/arm# ls -l
> total 12
> drwx------ 2 root root 12288 2010-12-23 11:28 lost+found
> crw-r--r-- 1 root root  1, 5 2010-12-23 11:28 zero
> 
> root at prasad-laptop:~/arm# dd if=zero of=disk bs=10K count=10K
> dd: writing `disk': No space left on device
> 9313+0 records in
> 9312+0 records out
> 95354880 bytes (95 MB) copied, 1.00106 s, 95.3 MB/s
> 
> root at prasad-laptop:~/arm# ls -l
> total 93499
> -rw-r--r-- 1 root root 95354880 2010-12-23 11:28 disk
> drwx------ 2 root root    12288 2010-12-23 11:28 lost+found
> crw-r--r-- 1 root root     1, 5 2010-12-23 11:28 zero
> 
> Here the file system allowed access to the device file named zero. The
> requirement is to turn off the access to all of the device files
> present on the mounted file system. ie. considering the above case
> access (open/read/write) to/from device zero should not be allowed
> (even by root user). I don't know why would one create a device file
> on a file system other than /dev.
> 
> I could modify the open code to check if the file the file being
> opened is device file then return either EPERM or EACCESS (not sure
> which one). But before modifying the code I thought of checking mount
> flags, could not find one, hence thought of asking on mailing list.
> 
> Thanks a lot for wonderful replies and sharing valuable information.
> Hope the example above has made the requirement clear.
> 

Maybe I, too, am completely misunderstanding you, but does the nodev
option do what you want?  From the mount manpage:

    nodev - Do not interpret character or block special devices on the
    file system.

Use like so:

    $ mount disk -o loop,nodev arm/

You can still create device special files, you just can't access them.

Greetings,
Henry