From: Sebastien Marie <semarie@kapouay.eu.org>
Subject: securtity(8): ignore date changes on devices
To: tech@openbsd.org
Date: Mon, 17 Nov 2025 07:10:09 +0100

Hi,

After running /dev/MAKEDEV (automatically done while upgrading), all
nodes in /dev are updated, and it makes security(8) to report block
devices changes due to date changes.

With support for extra partitions in disklabel, the list is really huge
and it makes the security(8) reports unreadable (too many
false-positive changes in the list to be checked).

I would like to avoid reporting device changes for dates fields. This
way, if the device is recreated the same (major, minor, mode, owner,
group, …) but at different dates, it will not be reported by security(8).

I assume the date is unrevelant for device (and only for device) as the
inode doesn't carry content.

Comments or OK ?
-- 
Sebastien Marie

diff --git a/libexec/security/security b/libexec/security/security
index 21e660502b..1d6cc2339c 100644
--- a/libexec/security/security
+++ b/libexec/security/security
@@ -672,6 +672,8 @@
 			    !S_ISBLK($files->{$f}{mode});
 			foreach my $k (@fields) {
 				next if $old->{$k} eq $files->{$f}{$k};
+				next if $mode eq 'device' &&
+				    grep { $_ eq $k } qw(mon day time year);
 				push @{$changed{changes}},
 				    [ @$old{@fields}, $f ],
 				    [ @{$files->{$f}}{@fields}, $f ];