smartmontools and kern.securelevel

Warner Losh imp at
Fri Feb 23 15:25:13 UTC 2018

On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at> wrote:

> Hi,
> I run smartmontools on my storage servers, to launch periodic disk tests
> and alert on disk errors.
> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does
> not work anymore.
> Certainly because it needs to write directly to raw devices.
> (details of the levels, -1 to 3, in security(7))
> Any workaround to this ?
> Perhaps we could think about allowing SMART commands to be written to
> disks when sysctl kern.securelevel >=2 ?
> (I assume smartmontools writes SMART commands)

Sending raw disks commands is inherently insecure. It's hard to create a
list of those commands that are OK because of the complexity and diversity
of the needed functionality. That complexity also makes it hard to put the
commands into a series of ioctls which could be made more secure.


More information about the freebsd-fs mailing list