From owner-freebsd-security  Fri Feb  9 10:57:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36])
	by hub.freebsd.org (Postfix) with ESMTP id 0063C37B699
	for <security@freebsd.org>; Fri,  9 Feb 2001 10:56:53 -0800 (PST)
Received: (from rizzo@localhost)
	by iguana.aciri.org (8.11.1/8.11.1) id f19Iurp06264;
	Fri, 9 Feb 2001 10:56:53 -0800 (PST)
	(envelope-from rizzo)
From: Luigi Rizzo <rizzo@aciri.org>
Message-Id: <200102091856.f19Iurp06264@iguana.aciri.org>
Subject: adding securelevel control to r/w sysctl variables...
To: security@freebsd.org
Date: Fri, 9 Feb 2001 10:56:53 -0800 (PST)
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

the attached code (for -STABLE, but should be similar for -CURRENT)
permits to limit write access to sysctl variables basing on
the value of "securelevel".

If there are no objections, i would like to commit and MFC this
code (and start protecting some of the sysctl knobs which definitely
need it!!).

For the records, CTLFLAG_SECURE was in the header but was not used
by any variable that i know of, so the change of semantics should
not give problems.  Furthermore -- this is not implemented yet,
but the header reserves a couple of flags to mark that a given
variable cannot be raised or lowered.

Implementation is trivial (once i sort out how to get
the old and new value of the parameters in sysctl_handle_*() )
and when present it could be used to replace the implementation
of kern.securelevel with a standard SYSCTL_INT.

Feedback welcome... possibly to me as well, as i do not subscribe
to the security list.

	cheers
	luigi

Index: sys/sysctl.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/sysctl.h,v
retrieving revision 1.81.2.3
diff -u -r1.81.2.3 sysctl.h
--- sys/sysctl.h	2000/09/25 12:09:20	1.81.2.3
+++ sys/sysctl.h	2001/02/09 18:02:40
@@ -79,9 +79,19 @@
 #define CTLFLAG_RW	(CTLFLAG_RD|CTLFLAG_WR)
 #define CTLFLAG_NOLOCK	0x20000000	/* XXX Don't Lock */
 #define CTLFLAG_ANYBODY	0x10000000	/* All users can set this var */
-#define CTLFLAG_SECURE	0x08000000	/* Permit set only if securelevel<=0 */
+#define CTLFLAG_SECURE	0x08000000	/* Permit set only if securelevel<0 */
 #define CTLFLAG_PRISON	0x04000000	/* Prisoned roots can fiddle */
 #define CTLFLAG_DYN	0x02000000	/* Dynamic oid - can be freed */
+
+#define	CTLFLAG_NORAISE	0x01000000	/* cannot be raised */
+#define	CTLFLAG_NOLOWER	0x00800000	/* cannot be lowered */
+#define	CTLFLAG_S_MASK	0x000f0000	/* max securelevel to change */
+#define	CTLFLAG_S_MASK_OFS	16	/* rightmost 1 in above */
+/*
+ * cannot modify variable if (securelevel >= i)
+ */
+#define	CTLFLAG_SECURELEVEL(i)						\
+    ( (((i)<<CTLFLAG_S_MASK_OFS) & CTLFLAG_S_MASK) | CTLFLAG_SECURE )
 
 /*
  * USE THIS instead of a hardwired number from the categories below
Index: kern/kern_sysctl.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.92.2.3
diff -u -r1.92.2.3 kern_sysctl.c
--- kern/kern_sysctl.c	2000/09/25 12:09:20	1.92.2.3
+++ kern/kern_sysctl.c	2001/02/09 18:02:52
@@ -1012,9 +1012,15 @@
 	}
 
 	/* If writing isn't allowed */
-	if (req->newptr && (!(oid->oid_kind & CTLFLAG_WR) ||
-	    ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0)))
-		return (EPERM);
+	if (req->newptr) {
+	    if (!(oid->oid_kind & CTLFLAG_WR))
+		return EPERM ;
+	    if (oid->oid_kind & CTLFLAG_SECURE) {
+		int i = (oid->oid_kind & CTLFLAG_S_MASK) >> CTLFLAG_S_MASK_OFS;
+		if (securelevel >= i)
+		    return (EPERM);
+	    }
+	}
 
 	/* Most likely only root can write */
 	if (!(oid->oid_kind & CTLFLAG_ANYBODY) &&


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message