Annotation of wikisrc/tutorials/kernel_secure_levels.mdwn, revision 1.2

1.1       sevan       1: **Contents**
                      2: 
                      3: [[!toc levels=3]]
                      4: 
                      5: #  Introduction 
                      6: 
                      7: Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2. 
                      8: 
                      9: The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security. 
                     10: 
                     11: 
                     12: #  Securelevel restrictions 
                     13: 
                     14: secmodel_bsd44(9) defines the following restrictions: 
                     15: 
                     16: ##  -1 Permanently insecure mode 
                     17: 
                     18:   * Don't raise the securelevel on boot 
                     19: 
                     20: ##  0 Insecure mode 
                     21: 
                     22:   * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs. 
                     23:   * Immutable and append-only file flags may be changed 
                     24:   * All devices may be read or written subject to their permissions 
                     25: 
1.2     ! wiki       26: _Note: You can't run X11 with legacy (e.g. VESA) drivers above this securelevel_
1.1       sevan      27: 
                     28: _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._
                     29: 
                     30: 
                     31: ##  1 Secure mode 
                     32: 
                     33:   * All effects of securelevel 0 
                     34:   * /dev/mem and /dev/kmem may not be written to 
                     35:   * Raw disk devices of mounted file systems are read-only 
                     36:   * Immutable and append-only file flags may not be removed 
                     37:   * Kernel modules may not be loaded or unloaded 
                     38:   * The net.inet.ip.sourceroute sysctl(8) variable may not be changed 
                     39:   * Adding or removing sysctl(9) nodes is denied 
                     40:   * The RTC offset may not be changed 
                     41:   * Set-id coredump settings may not be altered 
                     42:   * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed 
                     43:   * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_
                     44:   * iopl and ioperm calls are denied 
                     45:   * Access to unmanaged memory is denied 
                     46: 
                     47: ##  2 Highly secure mode 
                     48: 
                     49:   * All effects of securelevel 1 
                     50:   * Raw disk devices are always read-only whether mounted or not 
                     51:   * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only 
                     52:   * The system clock may not be set backwards or close to overflow 
                     53:   * Per-process coredump name may not be changed 
                     54:   * Packet filtering and NAT rules may not be altered 
                     55: 
                     56: #  Examining and changing securelevel 
                     57: 
                     58: As a user, you can see the current value of securelevel: 
                     59:     
                     60:     $ sysctl kern.securelevel
                     61:     kern.securelevel = -1
                     62:     
                     63: 
                     64: But of course, you cannot change it: 
                     65:     
                     66:     $ sysctl -w kern.securelevel=0
                     67:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
                     68:     
                     69: 
                     70: You need to be root to do that: 
                     71:     
                     72:     # sysctl -w kern.securelevel=1
                     73:     kern.securelevel: -1 -> 1
                     74:     
                     75: 
                     76: Once it is set, its value can never be set to a lower value again: 
                     77:     
                     78:     # sysctl -w kern.securelevel=-1
                     79:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
                     80:     
                     81: 
                     82: ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>: 
                     83:     
                     84:     db> w/l securelevel (-1)
                     85:     netbsd:securelevel   0x1 -> 0xffffffff
                     86:     db> c
                     87:     
                     88: 
                     89: #  Setting securelevel permanently 
                     90: 
                     91: The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]). 
                     92: 
                     93: 
                     94: #  See also 
                     95: 
                     96:   * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>
                     97: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb