Page MenuHomeFreeBSD

kdb: Modify securelevel policy
ClosedPublic

Authored by markj on Oct 25 2022, 6:09 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 2, 8:30 AM
Unknown Object (File)
Fri, Nov 29, 3:09 AM
Unknown Object (File)
Nov 18 2024, 11:13 AM
Unknown Object (File)
Nov 18 2024, 10:08 AM
Unknown Object (File)
Oct 21 2024, 3:17 PM
Unknown Object (File)
Sep 30 2024, 4:27 PM
Unknown Object (File)
Sep 26 2024, 2:01 AM
Unknown Object (File)
Sep 24 2024, 12:04 PM
Subscribers

Details

Summary

Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel. However, mac_ddb prohibits DDB operations which could be
abused to lower securelevel while retaining some ability to gather
useful information.

To enable the use of KDB (specifically, DDB) with a raised securelevel,
change the policy a bit following a suggestion from mhorne. Rather than
relying on CTLFLAG_SECURE, add a check of the current securelevel to
kdb_trap(). If the securelevel is raised, only pass control to the
backend if MAC specifically grants access; otherwise simply check to see
if mac_ddb vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour. That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj requested review of this revision.Oct 25 2022, 6:09 PM

D37106 implements the alternate approach.

One nit, but this looks great.

One thing to clarify: a jailed process is still unable to modify these sysctls, regardless of the securelevels of the jail and the whole system, yes?

sys/kern/subr_kdb.c
769–770

Need to drop this #ifdef now.

sys/security/mac/mac_kdb.c
47

ahhh now I see :)

This revision is now accepted and ready to land.Oct 25 2022, 6:38 PM

Regarding documentation, you might need to tweak the securelevel description in security(7), and/or add a paragraph about "interaction with securelevel" to mac_ddb(4).

One nit, but this looks great.

Definitely better than what I came up with originally. :)

One thing to clarify: a jailed process is still unable to modify these sysctls, regardless of the securelevels of the jail and the whole system, yes?

Right. You need to explicitly allow that with CTLFLAGS.

This revision now requires review to proceed.Oct 25 2022, 6:52 PM
This revision is now accepted and ready to land.Oct 25 2022, 8:09 PM
This revision was automatically updated to reflect the committed changes.