•   Check for changes to the disklabels of mounted disks.

That does not cover installations where the physical disk only has a
softraid chunk (plus perhaps an EFI System partition) and root is on
the softraid volume.

Noticed after someone asked for help after dd'ing miniroot to their sd0c.
At least on UEFI/GPT, the EFI System partition sits at the front, so
	# disklabel -R /var/backups/disklabel.sd0.backup
plus recreating the EFI System Parition should have undone the damage.

Here's a try merging softraid chunk disks that produces a new
disklabel.sd0.current in my case where `df -ln' only has sd1 mounts:

	# bioctl softraid0
	Volume      Status               Size Device
	softraid0 0 Online       536870641664 sd1     CRYPTO
		  0 Online       536870641664 0:0.0   noencl <sd0a>

I'm sure the perl can be better, no comment/manual tweaks, either...
Thoughts?

Index: security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
diff -u -p -r1.41 security
--- security	11 Oct 2020 18:28:17 -0000	1.41
+++ security	15 Feb 2024 13:51:13 -0000
@@ -886,6 +886,13 @@ sub check_disklabels {
 	my @disks = sort map m{^/dev/(\w*\d*)[a-p]}, <$fh>;
 	close_or_nag $fh, "df";
 
+	unless (nag !(open my $fh, '-|', qw(bioctl softraid0)),
+	    "cannot spawn bioctl $!") {
+		my @chunks = sort map m{<(\w*\d*)[a-p]>}, <$fh>;
+		close_or_nag $fh, "bioctl";
+		@disks = sort (@disks, @chunks);
+	}
+
 	foreach my $disk (@disks) {
 		$check_title = "======\n$disk diffs (-OLD  +NEW)\n======";
 		my $filename = BACKUP_DIR . "disklabel.$disk";