>Number:         161350
>Category:       kern
>Synopsis:       securelevel 3 can be lowered thru ddb
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 07 05:40:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     David O'Brien
>Release:        FreeBSD 9.0-CURRENT i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD dragon.NUXI.org 9.0-CURRENT FreeBSD 9.0-CURRENT #669 r223636M: 
Wed Jun 29 17:54:57 PDT 2011 ro...@dragon.nuxi.org:/sys/i386/compile/DRAGON i386
>Description:
        'securelevel' is intended to disallow attempts to lower its value
        (when set to 1 or larger).

        However, one may trivially enter ddb and lower the value.
        Given the behavior changes documented in security(7), I believe this
        to be against the spirit of 'securelevel' and against the desire of
        users of securelevel at 1+.


>How-To-Repeat:
# sysctl kern.securelevel=3
kern.securelevel: 0 -> 3

# sysctl kern.securelevel=0
kern.securelevel: 3
sysctl: kern.securelevel: Operation not permitted

# sysctl debug.kdb.enter=1
KDB: enter: sysctl debug.kdb.enter
[ thread pid 33529 tid 100134 ]
Stopped at 0xffffffff808229ab = kdb_enter+0x3b:  movq $0,0x92d732(%rip)
db> print *(prison0 + 0xfc)
       3
db> write (prison0 + 0xfc) 0
0xffffffff8103f85c = prison0+0xfc  0x3 = 0
db> print *(prison0 + 0xfc)
       0
db> c
debug.kdb.enter: 0 -> 0

# sysctl kern.securelevel=0
kern.securelevel: 0 -> 0

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to