Init(8) cannot decrease securelevel

KATO Takenori Sun, 5 Sep 1999 21:55:45 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp)

Once securelevel has been increased, no process can decrease it because
kernel always refuse decreasing it.  This is inconsistent with the
manual page of init:


     The kernel runs with four different levels of security.  Any super-user
     process can raise the security level, but only init can lower it.

Is there any security problem to implement this?  If no, could someone
review following patch?

kato

---------- BEGIN ----------
*** kern_mib.c.ORIG     Mon Sep  6 13:46:40 1999
--- kern_mib.c  Mon Sep  6 13:49:44 1999
***************
*** 178,184 ****
                error = sysctl_handle_int(oidp, &level, 0, req);
                if (error || !req->newptr)
                        return (error);
!               if (level < securelevel)
                        return (EPERM);
                securelevel = level;
                return (error);
--- 178,184 ----
                error = sysctl_handle_int(oidp, &level, 0, req);
                if (error || !req->newptr)
                        return (error);
!               if (level < securelevel && req->p->p_pid != 1)
                        return (EPERM);
                securelevel = level;
                return (error);
---------- END ----------

-----------------------------------------------+--------------------------+
KATO Takenori <k...@ganko.eps.nagoya-u.ac.jp>  |        FreeBSD           |
Dept. Earth Planet. Sci, Nagoya Univ.          |    The power to serve!   |
Nagoya, 464-8602, Japan                        |  http://www.FreeBSD.org/ |
++++ FreeBSD(98) 3.2:   Rev. 01 available!     |http://www.jp.FreeBSD.org/|
++++ FreeBSD(98) 2.2.8: Rev. 02 available!     +==========================+


To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message

Init(8) cannot decrease securelevel

Reply via email to