Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with sysctl kern.securelevel, once the level has been set in the bootup process using the securelevel option in /etc/rc.conf you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2.
Thevariable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security.
secmodel_bsd44(9) defeines the following restrictions:
- Don't raise the securelevel on boot
- The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs.
- Immutable and append-only file flags may be changed
- All devices may be read or written subject to their permissions
Note: You can`t run X11 above this securelevel
Try sysutils/aperture if you really need it.
- All effects of securelevel 0
- /dev/mem and /dev/kmem may not be written to
- Raw disk devices of mounted file systems are read-only
- Immutable and append-only file flags may not be removed
- Kernel modules may not be loaded or unloaded
- The net.inet.ip.sourceroute sysctl(8) variable may not be changed
- Adding or removing sysctl(9) nodes is denied
- The RTC offset may not be changed
- Set-id coredump settings may not be altered
- Attaching the IP-based kernel debugger, ipkdb(4), is not allowed
- Device ``pass-thru requests that may be used to perform raw disk and/or memory access are denied
- iopl and ioperm calls are denied
- Access to unmanaged memory is denied
- All effects of securelevel 1
- Raw disk devices are always read-only whether mounted or not
- New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only
- The system clock may not be set backwards or close to overflow
- Per-process coredump name may not be changed
- Packet filtering and NAT rules may not be altered
As a user, you can see the current value of securelevel:
$ sysctl kern.securelevel kern.securelevel = -1
But of course, you cannot change it:
$ sysctl -w kern.securelevel=0 sysctl: kern.securelevel: sysctl() failed with Operation not permitted
You need to be root to do that:
# sysctl -w kern.securelevel=1 kern.securelevel: -1 -> 1
Once it is set, its value can never be set to a lower value again:
# sysctl -w kern.securelevel=-1 sysctl: kern.securelevel: sysctl() failed with Operation not permitted
... except by the kernel debugger, which you can enter at the console. On i386, press ++:
db> w/l securelevel (-1) netbsd:securelevel 0x1 -> 0xffffffff db> c
The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see).