Diff for /wikisrc/kernel_secure_levels.mdwn between versions 1.1 and 1.2

version 1.1, 2011/11/21 03:22:58 version 1.2, 2012/02/05 07:14:36
Line 1 Line 1
 **Contents**  **Contents**
   
 [[!toc levels=3]]  [[!toc levels=3]]
   
 #  Introduction  #  Introduction 
   
 Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2.  Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2. 
   
 The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security.  The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security. 
   
   
 #  Securelevel restrictions  #  Securelevel restrictions 
   
 secmodel_bsd44(9) defeines the following restrictions:  secmodel_bsd44(9) defeines the following restrictions: 
   
 ##  -1 Permanently insecure mode  ##  -1 Permanently insecure mode 
   
   * Don't raise the securelevel on boot    * Don't raise the securelevel on boot 
   
 ##  0 Insecure mode  ##  0 Insecure mode 
   
   * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs.    * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs. 
   * Immutable and append-only file flags may be changed    * Immutable and append-only file flags may be changed 
   * All devices may be read or written subject to their permissions    * All devices may be read or written subject to their permissions 
   
 _Note: You can`t run X11 above this securelevel_  _Note: You can`t run X11 above this securelevel_
   
 _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._  _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._
   
   
 ##  1 Secure mode  ##  1 Secure mode 
   
   * All effects of securelevel 0    * All effects of securelevel 0 
   * /dev/mem and /dev/kmem may not be written to    * /dev/mem and /dev/kmem may not be written to 
   * Raw disk devices of mounted file systems are read-only    * Raw disk devices of mounted file systems are read-only 
   * Immutable and append-only file flags may not be removed    * Immutable and append-only file flags may not be removed 
   * Kernel modules may not be loaded or unloaded    * Kernel modules may not be loaded or unloaded 
   * The net.inet.ip.sourceroute sysctl(8) variable may not be changed    * The net.inet.ip.sourceroute sysctl(8) variable may not be changed 
   * Adding or removing sysctl(9) nodes is denied    * Adding or removing sysctl(9) nodes is denied 
   * The RTC offset may not be changed    * The RTC offset may not be changed 
   * Set-id coredump settings may not be altered    * Set-id coredump settings may not be altered 
   * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed    * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed 
   * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_    * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_
   * iopl and ioperm calls are denied    * iopl and ioperm calls are denied 
   * Access to unmanaged memory is denied    * Access to unmanaged memory is denied 
   
 ##  2 Highly secure mode  ##  2 Highly secure mode 
   
   * All effects of securelevel 1    * All effects of securelevel 1 
   * Raw disk devices are always read-only whether mounted or not    * Raw disk devices are always read-only whether mounted or not 
   * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only    * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only 
   * The system clock may not be set backwards or close to overflow    * The system clock may not be set backwards or close to overflow 
   * Per-process coredump name may not be changed    * Per-process coredump name may not be changed 
   * Packet filtering and NAT rules may not be altered    * Packet filtering and NAT rules may not be altered 
   
 #  Examining and changing securelevel  #  Examining and changing securelevel 
   
 As a user, you can see the current value of securelevel:  As a user, you can see the current value of securelevel: 
          
     $ sysctl kern.securelevel      $ sysctl kern.securelevel
     kern.securelevel = -1      kern.securelevel = -1
          
   
 But of course, you cannot change it:  But of course, you cannot change it: 
          
     $ sysctl -w kern.securelevel=0      $ sysctl -w kern.securelevel=0
     sysctl: kern.securelevel: sysctl() failed with Operation not permitted      sysctl: kern.securelevel: sysctl() failed with Operation not permitted
          
   
 You need to be root to do that:  You need to be root to do that: 
          
     # sysctl -w kern.securelevel=1      # sysctl -w kern.securelevel=1
     kern.securelevel: -1 -> 1      kern.securelevel: -1 -> 1
          
   
 Once it is set, its value can never be set to a lower value again:  Once it is set, its value can never be set to a lower value again: 
          
     # sysctl -w kern.securelevel=-1      # sysctl -w kern.securelevel=-1
     sysctl: kern.securelevel: sysctl() failed with Operation not permitted      sysctl: kern.securelevel: sysctl() failed with Operation not permitted
          
   
 ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>:  ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>: 
          
     db> w/l securelevel (-1)      db> w/l securelevel (-1)
     netbsd:securelevel   0x1 -> 0xffffffff      netbsd:securelevel   0x1 -> 0xffffffff
     db> c      db> c
          
   
 #  Setting securelevel permanently  #  Setting securelevel permanently 
   
 The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]).  The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]). 
   
   
 #  See also  #  See also 
   
   * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>    * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb