From owner-freebsd-bugs@FreeBSD.ORG Fri Oct 7 05:40:08 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66D831065672 for ; Fri, 7 Oct 2011 05:40:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2A4148FC13 for ; Fri, 7 Oct 2011 05:40:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p975e8RW054827 for ; Fri, 7 Oct 2011 05:40:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p975e8Hs054824; Fri, 7 Oct 2011 05:40:08 GMT (envelope-from gnats) Resent-Date: Fri, 7 Oct 2011 05:40:08 GMT Resent-Message-Id: <201110070540.p975e8Hs054824@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "David O'Brien" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 751CF106566B for ; Fri, 7 Oct 2011 05:38:41 +0000 (UTC) (envelope-from obrien@NUXI.org) Received: from dragon.nuxi.org (trang.nuxi.org [74.95.12.85]) by mx1.freebsd.org (Postfix) with ESMTP id 59DED8FC0C for ; Fri, 7 Oct 2011 05:38:41 +0000 (UTC) Received: from dragon.nuxi.org (obrien@localhost [127.0.0.1]) by dragon.nuxi.org (8.14.5/8.14.5) with ESMTP id p975P7R4047365 for ; Thu, 6 Oct 2011 22:25:07 -0700 (PDT) (envelope-from obrien@dragon.nuxi.org) Received: (from obrien@localhost) by dragon.nuxi.org (8.14.5/8.14.4/Submit) id p975P764047364; Thu, 6 Oct 2011 22:25:07 -0700 (PDT) (envelope-from obrien) Message-Id: <201110070525.p975P764047364@dragon.nuxi.org> Date: Thu, 6 Oct 2011 22:25:07 -0700 (PDT) From: "David O'Brien" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/161350: securelevel 3 can be lowered thru ddb X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: David O'Brien List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2011 05:40:08 -0000 >Number: 161350 >Category: kern >Synopsis: securelevel 3 can be lowered thru ddb >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 07 05:40:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: David O'Brien >Release: FreeBSD 9.0-CURRENT i386 >Organization: The FreeBSD Project >Environment: System: FreeBSD dragon.NUXI.org 9.0-CURRENT FreeBSD 9.0-CURRENT #669 r223636M: Wed Jun 29 17:54:57 PDT 2011 rootk@dragon.NUXI.org:/sys/i386/compile/DRAGON i386 >Description: 'securelevel' is intended to disallow attempts to lower its value (when set to 1 or larger). However, one may trivially enter ddb and lower the value. Given the behavior changes documented in security(7), I believe this to be against the spirit of 'securelevel' and against the desire of users of securelevel at 1+. >How-To-Repeat: # sysctl kern.securelevel=3 kern.securelevel: 0 -> 3 # sysctl kern.securelevel=0 kern.securelevel: 3 sysctl: kern.securelevel: Operation not permitted # sysctl debug.kdb.enter=1 KDB: enter: sysctl debug.kdb.enter [ thread pid 33529 tid 100134 ] Stopped at 0xffffffff808229ab = kdb_enter+0x3b: movq $0,0x92d732(%rip) db> print *(prison0 + 0xfc) 3 db> write (prison0 + 0xfc) 0 0xffffffff8103f85c = prison0+0xfc 0x3 = 0 db> print *(prison0 + 0xfc) 0 db> c debug.kdb.enter: 0 -> 0 # sysctl kern.securelevel=0 kern.securelevel: 0 -> 0 >Fix: >Release-Note: >Audit-Trail: >Unformatted: