From nobody Fri Nov 12 23:40:21 2021
X-Original-To: current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0756A183A4F4
	for <current@mlmmj.nyi.freebsd.org>; Fri, 12 Nov 2021 23:40:27 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HrZp211bGz4g6h;
	Fri, 12 Nov 2021 23:40:26 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Received: by mail-ua1-x929.google.com with SMTP id l43so22130335uad.4;
        Fri, 12 Nov 2021 15:40:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=sLbzQFlp8ODc8NuGK9SbVv1F2x+CodF1SmX2o/YTVDE=;
        b=jEBatlfymD9mYNWFaJsB1Ze4+Et89Uvwf6OcuuXCtotr891gAcmeqpgO/lacZjPzfy
         NMXwUj6GEF8boW9uVNPC02TnShB7yplvnEcu+Ww1RUdVn2phcch04tJik7+eO4WOdjeQ
         8IwNOne4ZExGb1NIBzDb58ihcNk1S/xfMg21VxFSZyro3pyu3cvFA9SS9tf7PJgrm1Yq
         ClXZGcY7X0+a1B74Mq15B7yw3HK5fc9tOvV/xXBFv/n3jxQNX107reyRj7eyu2l0bTIY
         aixtF+sLseE2Xpx7jwXjp0wHMlb/nvWSogdMHrDPlYM1gNf2gtZ0t0ozQu7+oGI9X7wh
         p6nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=sLbzQFlp8ODc8NuGK9SbVv1F2x+CodF1SmX2o/YTVDE=;
        b=IZwNxwIM0Nq1V+QrFbn0NRK5NYk36t0ODq4xqE/2Uv7gPIYOhUeinN+doep330xLSe
         TwLON6eGcHjhb1xTGfuMNNp31VAz+3rkQ8jAjM0y+39zX4zYxSMJiF8nkeLBBSprYx4I
         MMDfNMKPKAldEhUXYFCjUeZyLq/pVwPQj8SrT+Ra9vxWxLdd23WnzuuJEo90VG7GBstN
         oqmPxlYUE/5d+JdnUtO/ebcRV+CfmOO5y5/ncHqtOsifL57UwQnsVPRwfb78MR+xEZCZ
         wooCx2o5a/0bljooKHoKBoAk6TUFMVmYvtHeAV+Xe3nPj+jtsIq3RUwrsvqJkzL0Wp35
         E/xw==
X-Gm-Message-State: AOAM530F+aDNefSqDQJfggEGn6hMeuMuemma7+qNdo/edqVJJVzuqdLv
	W4UVt/F4dtYcsBnLQd5Cw1mzo7HJwAac6G3Ona/N3PzM5E10YT1o
X-Google-Smtp-Source: ABdhPJyp5KNm71/zzb0JbtmgXDxUIeSl0enW1XsIboJW1+LwTXdGoCSlDqxyQuOUvUlWrxt5hdXllk6jT40+ejQsf8I=
X-Received: by 2002:ab0:6f47:: with SMTP id r7mr27829936uat.85.1636760421648;
 Fri, 12 Nov 2021 15:40:21 -0800 (PST)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Received: by 2002:a59:9946:0:b0:248:630f:3460 with HTTP; Fri, 12 Nov 2021
 15:40:21 -0800 (PST)
In-Reply-To: <72ea461d-6b16-a661-ac73-66aeb098208d@quip.cz>
References: <87fss1rxfl.wl-herbert@gojira.at> <CAD2Ti2-gL-+jn949pGD9fkv_NS_ZCUqdx0S0giv=diJK0NT_1g@mail.gmail.com>
 <72ea461d-6b16-a661-ac73-66aeb098208d@quip.cz>
From: grarpamp <grarpamp@gmail.com>
Date: Fri, 12 Nov 2021 18:40:21 -0500
Message-ID: <CAD2Ti299V92ZOAo9-_Jb1ywQS9dgB9d5ib94NVYLLJ+hnZrFpA@mail.gmail.com>
Subject: Re: Extracting base.txz files missing flags
To: current@freebsd.org
Cc: security@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4HrZp211bGz4g6h
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=jEBatlfy;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::929 as permitted sender) smtp.mailfrom=grarpamp@gmail.com
X-Spamd-Result: default: False [-2.00 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	 FROM_HAS_DN(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 NEURAL_SPAM_SHORT(1.00)[1.000];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::929:from];
	 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 RCVD_TLS_ALL(0.00)[];
	 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

> Maybe you missed something - you cannot change flags when your system
> has security level (kern.securelevel) raised above 0.

Nobody missed that since anyone can
easily install default freebsd and observe...

$ sysctl kern.securelevel
kern.securelevel: -1

SECURITY(7)  - introduction to security under FreeBSD
The security levels are:
     -1    Permanently insecure mode - always run the system in insecure mode.
           This is the default initial value.

Thus they have no effect as shipped.

Nor do the schg'd files posted interact jointly with
securelevels to produce more security together.
They're just a list of arbitrarily chosen anti-footshooters,
and anti-malware and other security theatre, that don't
really need to be managed by freebsd as such.
Though the handbook security section could point to some
port/pkg/mtree's if some users wanted to try making some
offerings there.

It would also be foolish to presume or suggest, without at
least continuous formal verification etc, that any of today's OS
cannot be compromised, regardless of whatever options are enabled.
Even then, you have the problem of all the secret blackbox hardware
aka CPU / NIC they all run on... #OpenFabs #OpenHW #OpenAudit .