From obrien@NUXI.org  Fri Oct  7 05:38:41 2011
Return-Path: <obrien@NUXI.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 751CF106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  7 Oct 2011 05:38:41 +0000 (UTC)
	(envelope-from obrien@NUXI.org)
Received: from dragon.nuxi.org (trang.nuxi.org [74.95.12.85])
	by mx1.freebsd.org (Postfix) with ESMTP id 59DED8FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  7 Oct 2011 05:38:41 +0000 (UTC)
Received: from dragon.nuxi.org (obrien@localhost [127.0.0.1])
	by dragon.nuxi.org (8.14.5/8.14.5) with ESMTP id p975P7R4047365
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Oct 2011 22:25:07 -0700 (PDT)
	(envelope-from obrien@dragon.nuxi.org)
Received: (from obrien@localhost)
	by dragon.nuxi.org (8.14.5/8.14.4/Submit) id p975P764047364;
	Thu, 6 Oct 2011 22:25:07 -0700 (PDT)
	(envelope-from obrien)
Message-Id: <201110070525.p975P764047364@dragon.nuxi.org>
Date: Thu, 6 Oct 2011 22:25:07 -0700 (PDT)
From: "David O'Brien" <obrien@freebsd.org>
Reply-To: "David O'Brien" <obrien@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: securelevel 3 can be lowered thru ddb
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         161350
>Category:       kern
>Synopsis:       securelevel 3 can be lowered thru ddb
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    obrien
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 07 05:40:07 UTC 2011
>Closed-Date:    Fri Oct 07 06:15:22 UTC 2011
>Last-Modified:  Mon Jul  2 08:30:15 UTC 2012
>Originator:     David O'Brien
>Release:        FreeBSD 9.0-CURRENT i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD dragon.NUXI.org 9.0-CURRENT FreeBSD 9.0-CURRENT #669 r223636M: Wed Jun 29 17:54:57 PDT 2011 rootk@dragon.NUXI.org:/sys/i386/compile/DRAGON i386
>Description:
	'securelevel' is intended to disallow attempts to lower its value
	(when set to 1 or larger).

	However, one may trivially enter ddb and lower the value.
	Given the behavior changes documented in security(7), I believe this
	to be against the spirit of 'securelevel' and against the desire of
	users of securelevel at 1+.


>How-To-Repeat:
# sysctl kern.securelevel=3
kern.securelevel: 0 -> 3

# sysctl kern.securelevel=0
kern.securelevel: 3
sysctl: kern.securelevel: Operation not permitted

# sysctl debug.kdb.enter=1
KDB: enter: sysctl debug.kdb.enter
[ thread pid 33529 tid 100134 ]
Stopped at 0xffffffff808229ab = kdb_enter+0x3b:  movq $0,0x92d732(%rip)
db> print *(prison0 + 0xfc)
       3
db> write (prison0 + 0xfc) 0
0xffffffff8103f85c = prison0+0xfc  0x3 = 0
db> print *(prison0 + 0xfc)
       0
db> c
debug.kdb.enter: 0 -> 0

# sysctl kern.securelevel=0
kern.securelevel: 0 -> 0

>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->obrien 
Responsible-Changed-By: obrien 
Responsible-Changed-When: Fri Oct 7 05:42:44 UTC 2011 
Responsible-Changed-Why:  
mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161350 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161350: commit references a PR
Date: Fri,  7 Oct 2011 05:47:40 +0000 (UTC)

 Author: obrien
 Date: Fri Oct  7 05:47:30 2011
 New Revision: 226089
 URL: http://svn.freebsd.org/changeset/base/226089
 
 Log:
   Disallow various debug.kdb sysctl's when securelevel is raised.
   
   PR:	161350
 
 Modified:
   head/share/man/man7/security.7
   head/sys/kern/subr_kdb.c
 
 Modified: head/share/man/man7/security.7
 ==============================================================================
 --- head/share/man/man7/security.7	Fri Oct  7 05:45:38 2011	(r226088)
 +++ head/share/man/man7/security.7	Fri Oct  7 05:47:30 2011	(r226089)
 @@ -544,6 +544,12 @@ may not be opened for writing;
  kernel modules (see
  .Xr kld 4 )
  may not be loaded or unloaded.
 +The kernel debugger may not be entered using the
 +.Va debug.kdb.enter
 +sysctl.
 +A panic or trap cannot be forced using the
 +.Va debug.kdb.panic
 +and other sysctl's.
  .It Ic 2
  Highly secure mode \- same as secure mode, plus disks may not be
  opened for writing (except by
 
 Modified: head/sys/kern/subr_kdb.c
 ==============================================================================
 --- head/sys/kern/subr_kdb.c	Fri Oct  7 05:45:38 2011	(r226088)
 +++ head/sys/kern/subr_kdb.c	Fri Oct  7 05:47:30 2011	(r226089)
 @@ -90,25 +90,30 @@ SYSCTL_PROC(_debug_kdb, OID_AUTO, availa
  SYSCTL_PROC(_debug_kdb, OID_AUTO, current, CTLTYPE_STRING | CTLFLAG_RW, NULL,
      0, kdb_sysctl_current, "A", "currently selected KDB backend");
  
 -SYSCTL_PROC(_debug_kdb, OID_AUTO, enter, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
 +SYSCTL_PROC(_debug_kdb, OID_AUTO, enter,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
      kdb_sysctl_enter, "I", "set to enter the debugger");
  
 -SYSCTL_PROC(_debug_kdb, OID_AUTO, panic, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
 +SYSCTL_PROC(_debug_kdb, OID_AUTO, panic,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
      kdb_sysctl_panic, "I", "set to panic the kernel");
  
 -SYSCTL_PROC(_debug_kdb, OID_AUTO, trap, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
 +SYSCTL_PROC(_debug_kdb, OID_AUTO, trap,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
      kdb_sysctl_trap, "I", "set to cause a page fault via data access");
  
 -SYSCTL_PROC(_debug_kdb, OID_AUTO, trap_code, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
 +SYSCTL_PROC(_debug_kdb, OID_AUTO, trap_code,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
      kdb_sysctl_trap_code, "I", "set to cause a page fault via code access");
  
 -SYSCTL_INT(_debug_kdb, OID_AUTO, break_to_debugger, CTLTYPE_INT | CTLFLAG_RW |
 -    CTLFLAG_TUN, &kdb_break_to_debugger, 0, "Enable break to debugger");
 +SYSCTL_INT(_debug_kdb, OID_AUTO, break_to_debugger,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_TUN | CTLFLAG_SECURE,
 +    &kdb_break_to_debugger, 0, "Enable break to debugger");
  TUNABLE_INT("debug.kdb.break_to_debugger", &kdb_break_to_debugger);
  
 -SYSCTL_INT(_debug_kdb, OID_AUTO, alt_break_to_debugger, CTLTYPE_INT |
 -    CTLFLAG_RW | CTLFLAG_TUN, &kdb_alt_break_to_debugger, 0,
 -    "Enable alternative break to debugger");
 +SYSCTL_INT(_debug_kdb, OID_AUTO, alt_break_to_debugger,
 +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_TUN | CTLFLAG_SECURE,
 +    &kdb_alt_break_to_debugger, 0, "Enable alternative break to debugger");
  TUNABLE_INT("debug.kdb.alt_break_to_debugger", &kdb_alt_break_to_debugger);
  
  /*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: obrien 
State-Changed-When: Fri Oct 7 06:15:11 UTC 2011 
State-Changed-Why:  
Committed fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161350 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161350: commit references a PR
Date: Tue, 13 Dec 2011 17:59:26 +0000 (UTC)

 Author: obrien
 Date: Tue Dec 13 17:59:16 2011
 New Revision: 228475
 URL: http://svn.freebsd.org/changeset/base/228475
 
 Log:
   Disallow various debug.kdb sysctl's when securelevel is raised.
   
   PR:	161350
 
 Modified:
   head/sys/kern/kern_shutdown.c
 
 Modified: head/sys/kern/kern_shutdown.c
 ==============================================================================
 --- head/sys/kern/kern_shutdown.c	Tue Dec 13 17:34:47 2011	(r228474)
 +++ head/sys/kern/kern_shutdown.c	Tue Dec 13 17:59:16 2011	(r228475)
 @@ -102,8 +102,9 @@ int debugger_on_panic = 0;
  #else
  int debugger_on_panic = 1;
  #endif
 -SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
 -	&debugger_on_panic, 0, "Run debugger on kernel panic");
 +SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic,
 +    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN, &debugger_on_panic, 0,
 +    "Run debugger on kernel panic");
  TUNABLE_INT("debug.debugger_on_panic", &debugger_on_panic);
  
  #ifdef KDB_TRACE
 @@ -111,8 +112,9 @@ static int trace_on_panic = 1;
  #else
  static int trace_on_panic = 0;
  #endif
 -SYSCTL_INT(_debug, OID_AUTO, trace_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
 -	&trace_on_panic, 0, "Print stack trace on kernel panic");
 +SYSCTL_INT(_debug, OID_AUTO, trace_on_panic,
 +    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN, &trace_on_panic, 0,
 +    "Print stack trace on kernel panic");
  TUNABLE_INT("debug.trace_on_panic", &trace_on_panic);
  #endif /* KDB */
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/161350: commit references a PR
Date: Mon,  2 Jul 2012 08:23:46 +0000 (UTC)

 Author: obrien
 Date: Mon Jul  2 08:21:15 2012
 New Revision: 237979
 URL: http://svn.freebsd.org/changeset/base/237979
 
 Log:
   MFC: r228475 & r228487: Disallow various debug.kdb sysctl's when securelevel
   is raised.
   
   PR:	161350
 
 Modified:
   stable/9/sys/kern/kern_shutdown.c
 Directory Properties:
   stable/9/   (props changed)
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/kern/kern_shutdown.c
 ==============================================================================
 --- stable/9/sys/kern/kern_shutdown.c	Mon Jul  2 08:09:07 2012	(r237978)
 +++ stable/9/sys/kern/kern_shutdown.c	Mon Jul  2 08:21:15 2012	(r237979)
 @@ -100,8 +100,9 @@ int debugger_on_panic = 0;
  #else
  int debugger_on_panic = 1;
  #endif
 -SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
 -	&debugger_on_panic, 0, "Run debugger on kernel panic");
 +SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic,
 +    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN,
 +    &debugger_on_panic, 0, "Run debugger on kernel panic");
  TUNABLE_INT("debug.debugger_on_panic", &debugger_on_panic);
  
  #ifdef KDB_TRACE
 @@ -109,8 +110,9 @@ static int trace_on_panic = 1;
  #else
  static int trace_on_panic = 0;
  #endif
 -SYSCTL_INT(_debug, OID_AUTO, trace_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
 -	&trace_on_panic, 0, "Print stack trace on kernel panic");
 +SYSCTL_INT(_debug, OID_AUTO, trace_on_panic,
 +    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN,
 +    &trace_on_panic, 0, "Print stack trace on kernel panic");
  TUNABLE_INT("debug.trace_on_panic", &trace_on_panic);
  #endif /* KDB */
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
