Return to kernel_secure_levels.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc

Annotation of wikisrc/kernel_secure_levels.mdwn, revision 1.2

1.2     ! schmonz     1: **Contents**
        !             2: 
        !             3: [[!toc levels=3]]
        !             4: 
        !             5: #  Introduction 
        !             6: 
        !             7: Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2. 
        !             8: 
        !             9: The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security. 
        !            10: 
        !            11: 
        !            12: #  Securelevel restrictions 
        !            13: 
        !            14: secmodel_bsd44(9) defeines the following restrictions: 
        !            15: 
        !            16: ##  -1 Permanently insecure mode 
        !            17: 
        !            18:   * Don't raise the securelevel on boot 
        !            19: 
        !            20: ##  0 Insecure mode 
        !            21: 
        !            22:   * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs. 
        !            23:   * Immutable and append-only file flags may be changed 
        !            24:   * All devices may be read or written subject to their permissions 
        !            25: 
        !            26: _Note: You can`t run X11 above this securelevel_
        !            27: 
        !            28: _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._
        !            29: 
        !            30: 
        !            31: ##  1 Secure mode 
        !            32: 
        !            33:   * All effects of securelevel 0 
        !            34:   * /dev/mem and /dev/kmem may not be written to 
        !            35:   * Raw disk devices of mounted file systems are read-only 
        !            36:   * Immutable and append-only file flags may not be removed 
        !            37:   * Kernel modules may not be loaded or unloaded 
        !            38:   * The net.inet.ip.sourceroute sysctl(8) variable may not be changed 
        !            39:   * Adding or removing sysctl(9) nodes is denied 
        !            40:   * The RTC offset may not be changed 
        !            41:   * Set-id coredump settings may not be altered 
        !            42:   * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed 
        !            43:   * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_
        !            44:   * iopl and ioperm calls are denied 
        !            45:   * Access to unmanaged memory is denied 
        !            46: 
        !            47: ##  2 Highly secure mode 
        !            48: 
        !            49:   * All effects of securelevel 1 
        !            50:   * Raw disk devices are always read-only whether mounted or not 
        !            51:   * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only 
        !            52:   * The system clock may not be set backwards or close to overflow 
        !            53:   * Per-process coredump name may not be changed 
        !            54:   * Packet filtering and NAT rules may not be altered 
        !            55: 
        !            56: #  Examining and changing securelevel 
        !            57: 
        !            58: As a user, you can see the current value of securelevel: 
        !            59:     
        !            60:     $ sysctl kern.securelevel
        !            61:     kern.securelevel = -1
        !            62:     
        !            63: 
        !            64: But of course, you cannot change it: 
        !            65:     
        !            66:     $ sysctl -w kern.securelevel=0
        !            67:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
        !            68:     
        !            69: 
        !            70: You need to be root to do that: 
        !            71:     
        !            72:     # sysctl -w kern.securelevel=1
        !            73:     kern.securelevel: -1 -> 1
        !            74:     
        !            75: 
        !            76: Once it is set, its value can never be set to a lower value again: 
        !            77:     
        !            78:     # sysctl -w kern.securelevel=-1
        !            79:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
        !            80:     
        !            81: 
        !            82: ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>: 
        !            83:     
        !            84:     db> w/l securelevel (-1)
        !            85:     netbsd:securelevel   0x1 -> 0xffffffff
        !            86:     db> c
        !            87:     
        !            88: 
        !            89: #  Setting securelevel permanently 
        !            90: 
        !            91: The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]). 
        !            92: 
        !            93: 
        !            94: #  See also 
        !            95: 
        !            96:   * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>
        !            97: