Page MenuHomeFreeBSD
Differential D37122

kdb: Modify securelevel policy
ClosedPublic
Actions

Authored by markj on Oct 25 2022, 6:09 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 21, 3:17 PM
Unknown Object (File)
Sep 30 2024, 4:27 PM
Unknown Object (File)
Sep 26 2024, 2:01 AM
Unknown Object (File)
Sep 24 2024, 12:04 PM
Unknown Object (File)
Sep 18 2024, 10:42 AM
Unknown Object (File)
Sep 17 2024, 1:06 PM
Unknown Object (File)
Sep 15 2024, 9:00 PM
Unknown Object (File)
Sep 10 2024, 2:56 PM
View All 50 Files
Subscribers
imp

Details

Reviewers
stevek
mhorne
Commits
rGcab1056105e3: kdb: Modify securelevel policy
Summary

Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel. However, mac_ddb prohibits DDB operations which could be
abused to lower securelevel while retaining some ability to gather
useful information.

To enable the use of KDB (specifically, DDB) with a raised securelevel,
change the policy a bit following a suggestion from mhorne. Rather than
relying on CTLFLAG_SECURE, add a check of the current securelevel to
kdb_trap(). If the securelevel is raised, only pass control to the
backend if MAC specifically grants access; otherwise simply check to see
if mac_ddb vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour. That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Oct 25 2022, 6:09 PM
Herald added a subscriber: imp. · View Herald TranscriptOct 25 2022, 6:09 PM
markj requested review of this revision.Oct 25 2022, 6:09 PM
Harbormaster completed remote builds in B47991: Diff 112193.Oct 25 2022, 6:09 PM
markj added a comment.Oct 25 2022, 6:10 PM

D37106 implements the alternate approach.

mhorne accepted this revision.Oct 25 2022, 6:38 PM

One nit, but this looks great.

One thing to clarify: a jailed process is still unable to modify these sysctls, regardless of the securelevels of the jail and the whole system, yes?

sys/kern/subr_kdb.c
769–770

Need to drop this #ifdef now.

sys/security/mac/mac_kdb.c
47

ahhh now I see :)

This revision is now accepted and ready to land.Oct 25 2022, 6:38 PM
mhorne added a comment.Oct 25 2022, 6:41 PM

Regarding documentation, you might need to tweak the securelevel description in security(7), and/or add a paragraph about "interaction with securelevel" to mac_ddb(4).

markj marked an inline comment as done.Oct 25 2022, 6:52 PM
In D37122#843016, @mhorne wrote:

One nit, but this looks great.

Definitely better than what I came up with originally. :)

One thing to clarify: a jailed process is still unable to modify these sysctls, regardless of the securelevels of the jail and the whole system, yes?

Right. You need to explicitly allow that with CTLFLAGS.

markj updated this revision to Diff 112198.Oct 25 2022, 6:52 PM

Drop an incorrect ifdef.

This revision now requires review to proceed.Oct 25 2022, 6:52 PM
Harbormaster completed remote builds in B47996: Diff 112198.Oct 25 2022, 6:52 PM
mhorne accepted this revision.Oct 25 2022, 8:09 PM
This revision is now accepted and ready to land.Oct 25 2022, 8:09 PM
stevek accepted this revision.Mar 14 2023, 6:48 PM
Closed by commit rGcab1056105e3: kdb: Modify securelevel policy (authored by markj). · Explain WhyMar 30 2023, 2:57 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGcab1056105e3: kdb: Modify securelevel policy.

Revision Contents
Changeset List

PathSize
share/
man/
man7/
7 lines
sys/
kern/
12 lines
46 lines
security/
mac/
1 line
9 lines

Diff 119669

View Options

share/man/man7/security.7

Loading...
View Options

sys/kern/kern_shutdown.c

Loading...
View Options

sys/kern/subr_kdb.c

Loading...
View Options

sys/security/mac/mac_framework.h

Loading...
View Options

sys/security/mac/mac_kdb.c

Loading...