From: Lloyd <ng2d68@proton.me>
Subject: Re: securtity(8): ignore date changes on devices
To: tech@openbsd.org
Date: Mon, 17 Nov 2025 18:44:14 +0000

Possibly related, I noticed 7.8 boxes started notifying me about 
block device changes to /dev/rootdisk after running syspatch.

I assume the warning is just noise.

Regards
Lloyd

Sebastien Marie wrote:

> Hi,
> 
> After running /dev/MAKEDEV (automatically done while upgrading), all
> nodes in /dev are updated, and it makes security(8) to report block
> devices changes due to date changes.
> 
> With support for extra partitions in disklabel, the list is really huge
> and it makes the security(8) reports unreadable (too many
> false-positive changes in the list to be checked).
> 
> I would like to avoid reporting device changes for dates fields. This
> way, if the device is recreated the same (major, minor, mode, owner,
> group, …) but at different dates, it will not be reported by security(8).
> 
> I assume the date is unrevelant for device (and only for device) as the
> inode doesn't carry content.
> 
> Comments or OK ?
> --
> Sebastien Marie
> 
> diff --git a/libexec/security/security b/libexec/security/security
> index 21e660502b..1d6cc2339c 100644
> --- a/libexec/security/security
> +++ b/libexec/security/security
> @@ -672,6 +672,8 @@
> !S_ISBLK($files->{$f}{mode});
> 
> foreach my $k (@fields) {
> next if $old->{$k} eq $files->{$f}{$k};
> 
> + next if $mode eq 'device' &&
> + grep { $_ eq $k } qw(mon day time year);
> push @{$changed{changes}},
> [ @$old{@fields}, $f ],
> [ @{$files->{$f}}{@fields}, $f ];