Date: Fri, 12 Nov 2021 18:40:21 -0500 From: grarpamp <grarpamp@gmail.com> To: current@freebsd.org Cc: security@freebsd.org Subject: Re: Extracting base.txz files missing flags Message-ID: <CAD2Ti299V92ZOAo9-_Jb1ywQS9dgB9d5ib94NVYLLJ%2BhnZrFpA@mail.gmail.com> In-Reply-To: <72ea461d-6b16-a661-ac73-66aeb098208d@quip.cz> References: <87fss1rxfl.wl-herbert@gojira.at> <CAD2Ti2-gL-%2Bjn949pGD9fkv_NS_ZCUqdx0S0giv=diJK0NT_1g@mail.gmail.com> <72ea461d-6b16-a661-ac73-66aeb098208d@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
> Maybe you missed something - you cannot change flags when your system
> has security level (kern.securelevel) raised above 0.
Nobody missed that since anyone can
easily install default freebsd and observe...
$ sysctl kern.securelevel
kern.securelevel: -1
SECURITY(7) - introduction to security under FreeBSD
The security levels are:
-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.
Thus they have no effect as shipped.
Nor do the schg'd files posted interact jointly with
securelevels to produce more security together.
They're just a list of arbitrarily chosen anti-footshooters,
and anti-malware and other security theatre, that don't
really need to be managed by freebsd as such.
Though the handbook security section could point to some
port/pkg/mtree's if some users wanted to try making some
offerings there.
It would also be foolish to presume or suggest, without at
least continuous formal verification etc, that any of today's OS
cannot be compromised, regardless of whatever options are enabled.
Even then, you have the problem of all the secret blackbox hardware
aka CPU / NIC they all run on... #OpenFabs #OpenHW #OpenAudit .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti299V92ZOAo9-_Jb1ywQS9dgB9d5ib94NVYLLJ%2BhnZrFpA>