File:  [NetBSD Developer Wiki] / wikisrc / tutorials / kernel_secure_levels.mdwn
Revision 1.1: download - view: text, annotated - select for diffs
Sat Apr 27 20:19:32 2019 UTC (14 months, 1 week ago) by sevan
Branches: MAIN
CVS tags: HEAD
Move content obtained from wiki.netbsd.se to tutorials section to reduce clutter.

    1: **Contents**
    2: 
    3: [[!toc levels=3]]
    4: 
    5: #  Introduction 
    6: 
    7: Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2. 
    8: 
    9: The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security. 
   10: 
   11: 
   12: #  Securelevel restrictions 
   13: 
   14: secmodel_bsd44(9) defines the following restrictions: 
   15: 
   16: ##  -1 Permanently insecure mode 
   17: 
   18:   * Don't raise the securelevel on boot 
   19: 
   20: ##  0 Insecure mode 
   21: 
   22:   * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs. 
   23:   * Immutable and append-only file flags may be changed 
   24:   * All devices may be read or written subject to their permissions 
   25: 
   26: _Note: You can`t run X11 above this securelevel_
   27: 
   28: _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._
   29: 
   30: 
   31: ##  1 Secure mode 
   32: 
   33:   * All effects of securelevel 0 
   34:   * /dev/mem and /dev/kmem may not be written to 
   35:   * Raw disk devices of mounted file systems are read-only 
   36:   * Immutable and append-only file flags may not be removed 
   37:   * Kernel modules may not be loaded or unloaded 
   38:   * The net.inet.ip.sourceroute sysctl(8) variable may not be changed 
   39:   * Adding or removing sysctl(9) nodes is denied 
   40:   * The RTC offset may not be changed 
   41:   * Set-id coredump settings may not be altered 
   42:   * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed 
   43:   * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_
   44:   * iopl and ioperm calls are denied 
   45:   * Access to unmanaged memory is denied 
   46: 
   47: ##  2 Highly secure mode 
   48: 
   49:   * All effects of securelevel 1 
   50:   * Raw disk devices are always read-only whether mounted or not 
   51:   * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only 
   52:   * The system clock may not be set backwards or close to overflow 
   53:   * Per-process coredump name may not be changed 
   54:   * Packet filtering and NAT rules may not be altered 
   55: 
   56: #  Examining and changing securelevel 
   57: 
   58: As a user, you can see the current value of securelevel: 
   59:     
   60:     $ sysctl kern.securelevel
   61:     kern.securelevel = -1
   62:     
   63: 
   64: But of course, you cannot change it: 
   65:     
   66:     $ sysctl -w kern.securelevel=0
   67:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
   68:     
   69: 
   70: You need to be root to do that: 
   71:     
   72:     # sysctl -w kern.securelevel=1
   73:     kern.securelevel: -1 -> 1
   74:     
   75: 
   76: Once it is set, its value can never be set to a lower value again: 
   77:     
   78:     # sysctl -w kern.securelevel=-1
   79:     sysctl: kern.securelevel: sysctl() failed with Operation not permitted
   80:     
   81: 
   82: ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>: 
   83:     
   84:     db> w/l securelevel (-1)
   85:     netbsd:securelevel   0x1 -> 0xffffffff
   86:     db> c
   87:     
   88: 
   89: #  Setting securelevel permanently 
   90: 
   91: The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]). 
   92: 
   93: 
   94: #  See also 
   95: 
   96:   * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>
   97: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb