>Number: 161350 >Category: kern >Synopsis: securelevel 3 can be lowered thru ddb >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 07 05:40:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: David O'Brien >Release: FreeBSD 9.0-CURRENT i386 >Organization: The FreeBSD Project >Environment: System: FreeBSD dragon.NUXI.org 9.0-CURRENT FreeBSD 9.0-CURRENT #669 r223636M: Wed Jun 29 17:54:57 PDT 2011 ro...@dragon.nuxi.org:/sys/i386/compile/DRAGON i386 >Description: 'securelevel' is intended to disallow attempts to lower its value (when set to 1 or larger).
However, one may trivially enter ddb and lower the value. Given the behavior changes documented in security(7), I believe this to be against the spirit of 'securelevel' and against the desire of users of securelevel at 1+. >How-To-Repeat: # sysctl kern.securelevel=3 kern.securelevel: 0 -> 3 # sysctl kern.securelevel=0 kern.securelevel: 3 sysctl: kern.securelevel: Operation not permitted # sysctl debug.kdb.enter=1 KDB: enter: sysctl debug.kdb.enter [ thread pid 33529 tid 100134 ] Stopped at 0xffffffff808229ab = kdb_enter+0x3b: movq $0,0x92d732(%rip) db> print *(prison0 + 0xfc) 3 db> write (prison0 + 0xfc) 0 0xffffffff8103f85c = prison0+0xfc 0x3 = 0 db> print *(prison0 + 0xfc) 0 db> c debug.kdb.enter: 0 -> 0 # sysctl kern.securelevel=0 kern.securelevel: 0 -> 0 >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"