Date: Fri, 9 Feb 2001 10:56:53 -0800 (PST) From: Luigi Rizzo <rizzo@aciri.org> To: security@freebsd.org Subject: adding securelevel control to r/w sysctl variables... Message-ID: <200102091856.f19Iurp06264@iguana.aciri.org>
next in thread | raw e-mail | index | archive | help
Hi,
the attached code (for -STABLE, but should be similar for -CURRENT)
permits to limit write access to sysctl variables basing on
the value of "securelevel".
If there are no objections, i would like to commit and MFC this
code (and start protecting some of the sysctl knobs which definitely
need it!!).
For the records, CTLFLAG_SECURE was in the header but was not used
by any variable that i know of, so the change of semantics should
not give problems. Furthermore -- this is not implemented yet,
but the header reserves a couple of flags to mark that a given
variable cannot be raised or lowered.
Implementation is trivial (once i sort out how to get
the old and new value of the parameters in sysctl_handle_*() )
and when present it could be used to replace the implementation
of kern.securelevel with a standard SYSCTL_INT.
Feedback welcome... possibly to me as well, as i do not subscribe
to the security list.
cheers
luigi
Index: sys/sysctl.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/sysctl.h,v
retrieving revision 1.81.2.3
diff -u -r1.81.2.3 sysctl.h
--- sys/sysctl.h 2000/09/25 12:09:20 1.81.2.3
+++ sys/sysctl.h 2001/02/09 18:02:40
@@ -79,9 +79,19 @@
#define CTLFLAG_RW (CTLFLAG_RD|CTLFLAG_WR)
#define CTLFLAG_NOLOCK 0x20000000 /* XXX Don't Lock */
#define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */
-#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */
+#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<0 */
#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
#define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */
+
+#define CTLFLAG_NORAISE 0x01000000 /* cannot be raised */
+#define CTLFLAG_NOLOWER 0x00800000 /* cannot be lowered */
+#define CTLFLAG_S_MASK 0x000f0000 /* max securelevel to change */
+#define CTLFLAG_S_MASK_OFS 16 /* rightmost 1 in above */
+/*
+ * cannot modify variable if (securelevel >= i)
+ */
+#define CTLFLAG_SECURELEVEL(i) \
+ ( (((i)<<CTLFLAG_S_MASK_OFS) & CTLFLAG_S_MASK) | CTLFLAG_SECURE )
/*
* USE THIS instead of a hardwired number from the categories below
Index: kern/kern_sysctl.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.92.2.3
diff -u -r1.92.2.3 kern_sysctl.c
--- kern/kern_sysctl.c 2000/09/25 12:09:20 1.92.2.3
+++ kern/kern_sysctl.c 2001/02/09 18:02:52
@@ -1012,9 +1012,15 @@
}
/* If writing isn't allowed */
- if (req->newptr && (!(oid->oid_kind & CTLFLAG_WR) ||
- ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0)))
- return (EPERM);
+ if (req->newptr) {
+ if (!(oid->oid_kind & CTLFLAG_WR))
+ return EPERM ;
+ if (oid->oid_kind & CTLFLAG_SECURE) {
+ int i = (oid->oid_kind & CTLFLAG_S_MASK) >> CTLFLAG_S_MASK_OFS;
+ if (securelevel >= i)
+ return (EPERM);
+ }
+ }
/* Most likely only root can write */
if (!(oid->oid_kind & CTLFLAG_ANYBODY) &&
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102091856.f19Iurp06264>