kern/161350: securelevel 3 can be lowered thru ddb
David O'Brien
obrien at FreeBSD.org
Fri Oct 7 05:40:08 UTC 2011
>Number: 161350
>Category: kern
>Synopsis: securelevel 3 can be lowered thru ddb
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 07 05:40:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: David O'Brien
>Release: FreeBSD 9.0-CURRENT i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD dragon.NUXI.org 9.0-CURRENT FreeBSD 9.0-CURRENT #669 r223636M: Wed Jun 29 17:54:57 PDT 2011 rootk at dragon.NUXI.org:/sys/i386/compile/DRAGON i386
>Description:
'securelevel' is intended to disallow attempts to lower its value
(when set to 1 or larger).
However, one may trivially enter ddb and lower the value.
Given the behavior changes documented in security(7), I believe this
to be against the spirit of 'securelevel' and against the desire of
users of securelevel at 1+.
>How-To-Repeat:
# sysctl kern.securelevel=3
kern.securelevel: 0 -> 3
# sysctl kern.securelevel=0
kern.securelevel: 3
sysctl: kern.securelevel: Operation not permitted
# sysctl debug.kdb.enter=1
KDB: enter: sysctl debug.kdb.enter
[ thread pid 33529 tid 100134 ]
Stopped at 0xffffffff808229ab = kdb_enter+0x3b: movq $0,0x92d732(%rip)
db> print *(prison0 + 0xfc)
3
db> write (prison0 + 0xfc) 0
0xffffffff8103f85c = prison0+0xfc 0x3 = 0
db> print *(prison0 + 0xfc)
0
db> c
debug.kdb.enter: 0 -> 0
# sysctl kern.securelevel=0
kern.securelevel: 0 -> 0
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list