smartmontools and kern.securelevel

Ben RUBSON ben.rubson at
Fri Feb 23 16:46:14 UTC 2018

On 23 Feb 2018, Warner Losh wrote:

> On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at> wrote:
>> Hi,
>> I run smartmontools on my storage servers, to launch periodic disk tests  
>> and alert on disk errors.
>> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does  
>> not work anymore.
>> Certainly because it needs to write directly to raw devices.
>> (details of the levels, -1 to 3, in security(7))
>> Any workaround to this ?
>> Perhaps we could think about allowing SMART commands to be written to  
>> disks when sysctl kern.securelevel >=2 ?
>> (I assume smartmontools writes SMART commands)
> Sending raw disks commands is inherently insecure. It's hard to create a  
> list of those commands that are OK because of the complexity and  
> diversity of the needed functionality. That complexity also makes it hard  
> to put the commands into a series of ioctls which could be made more  
> secure.

Thank you for your feedback Warner.

Can't all SMART commands be easily identified among the others ? (when a  
command arrives, does kernel sees it is SMART flagged ?)
Perhaps you assume some SMART commands may be dangerous for the disks' data  
itself ?

Thank you again,


More information about the freebsd-fs mailing list