Date: Fri, 15 Oct 1999 12:53:39 -0400 (EDT) From: Antoine Beaupre <beaupran@IRO.UMontreal.CA> To: Mike Nowlin <mike@argos.org> Cc: "Rashid N. Achilov" <shelton@sentry.granch.ru>, freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X Message-ID: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> References: <XFMail.991015111802.shelton@sentry.granch.ru> <Pine.LNX.4.05.9910150036170.5339-100000@jason.argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The reference is man init:
"
The kernel runs with four different levels of security. Any superuser
process can raise the security level, but only init can lower it. The
security levels are:
-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted filesystems, /dev/mem, and
/dev/kmem may not be opened for writing.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with filesystems by unmounting them,
but also inhibits running newfs(8) while the system is multi-user.
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) can not be changed
and dummynet configuration can not be adjusted.
" (by the web manpages, 3.1-release)
So that's exactly it. X cannot write to mem or kmem.
I thought this was in securelevel 2, though.
I guess there is no way to run X in secure level > 0, right?
--- Big Brother told Mike Nowlin to write, at 00:39 of October 15:
>
> > Why I can't start X with kern.securelevel more than -1?
> >
> > When I attempt start X with kern.securelevel 1 or 2, startx crashed with
> > "KBENBIO (or like that): Operation not permitted"
>
> It's been a while since I read something about this, but let's see how
> good my memory is -- corrections welcomed.... :)
>
> When running with a >0 securelevel, X can't access the video memory due to
> security restrictions (probably something about letting a non-kernel
> process access any kind of I/O or memory port directly), so the X server
> can't talk to the video card -- boom.
>
> Am I right?
>
> mike
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
Lofofora
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14343.23571.679909.243732>