Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 1 Jun 2003 17:31:56 -0400
From:      Rory Arms <rorya@TrueStep.com>
To:        freebsd-current@freebsd.org
Subject:   Re: installing kernel with securelevel set to 2
Message-ID:  <781BFFBC-9478-11D7-B397-000502D78289@TrueStep.com>

next in thread | raw e-mail | index | archive | help
I think I answered my own question. The kernel isn't installed with  
immutable flags to begin with -- So, my question is, why is this? I  
thought the advantage of making the kernel immutable was to better  
protect the system if root was compromised? I searched the archives  
regarding this, but found nothing that related to it.

-rory

> From: Rory Arms <rorya@TrueStep.com>
> Date: Sun Jun 1, 2003  17:07:53 US/Eastern
> To: freebsd-current@freebsd.org
> Subject: installing kernel with securelevel set to 2
> X-Mailer: Apple Mail (2.552)
>
> FreeBSD-current@
>
> I just tried installing a kernel after compiling May 31st source and  
> figured I would have to reboot to a lower securelevel, as I'm running  
> with kern.securelevel set to 2. However, it slipped my mind and i've  
> noticed it installed anyhow. Has this behavior changed? I thought that  
> the kernel file (/boot/kernel/kernel) and its modules could not be  
> replaced at that securelevel? Note: I'm currently running an April 6th  
> -CURRENT. Also, all filesystems are UFS1, currently.
>
> As you can see, it installed kernel just fine for some reason. In the  
> past, if the machine was running in secure mode it would stop at this  
> point:
>
> [...]
> cd /usr/obj/usr/src/sys/TSERVER;  MAKEOBJDIRPREFIX=/usr/obj   
> MACHINE_ARCH=i386  MACHINE=i386  CPUTYPE=i686   
> GROFF_BIN_PATH=/usr/obj/usr/src/i386/legacy/usr/bin   
> GROFF_FONT_PATH=/usr/obj/usr/src/i386/legacy/usr/share/groff_font   
> GROFF_TMAC_PATH=/usr/obj/usr/src/i386/legacy/usr/share/tmac  
> PATH=/usr/obj/usr/src/i386/legacy/usr/sbin:/usr/obj/usr/src/i386/ 
> legacy/usr/bin:/usr/obj/usr/src/i386/legacy/usr/games:/usr/obj/usr/ 
> src/i386/usr/sbin:/usr/obj/usr/src/i386/usr/bin:/usr/obj/usr/src/i386/ 
> usr/games:/sbin:/bin:/usr/sbin:/usr/bin  make KERNEL=kernel install
> thiskernel=`sysctl -n kern.bootfile` ;  if [ "$thiskernel" =  
> /boot/kernel.old/kernel ] ; then  chflags -R noschg /boot/kernel ;  rm  
> -rf /boot/kernel ;  else  if [ -d /boot/kernel.old ] ; then  chflags  
> -R noschg /boot/kernel.old ;  rm -rf /boot/kernel.old ;  fi ;  mv  
> /boot/kernel /boot/kernel.old ;  if [ "$thiskernel" =  
> /boot/kernel/kernel ] ; then  sysctl  
> kern.bootfile=/boot/kernel.old/kernel ;  fi;  fi
> kern.bootfile: /boot/kernel/kernel -> /boot/kernel.old/kernel
> mkdir -p /boot/kernel
> install -p -m 555 -o root -g wheel kernel /boot/kernel
> cd /usr/src/sys/modules;  
> MAKEOBJDIRPREFIX=/usr/obj/usr/src/sys/TSERVER/modules  
> KMODDIR=/boot/kernel MACHINE=i386 make  install
> [...]
>
> Looks like it was able to remove the immutable flag w/o a problem,  
> which isn't supposed to be allowed at securelevel 1 or 2.
>
> From securelevel(8):
>
>      1     Secure mode - the system immutable and system append-only  
> flags may
>            not be turned off; disks for mounted file systems,  
> /dev/mem, and
>            /dev/kmem may not be opened for writing; kernel modules (see
>            kld(4)) may not be loaded or unloaded.
>
>      2     Highly secure mode - same as secure mode, plus disks may  
> not be
>            opened for writing (except by mount(2)) whether mounted or  
> not.
>            This level precludes tampering with file systems by  
> unmounting
>            them, but also inhibits running newfs(8) while the system  
> is multi-
>            user.
>
> Here's how I checked the securelevel:
> # sysctl kern.securelevel
> kern.securelevel: 2
> #
>
> Also, checking the flags on "/boot/kernel/kernel" after the "make -j2  
> kernelinstall" there appears to be no flags set on the kernel file or  
> any of its modules:
>
> # ls -lo /boot/kernel/kernel
> -r-xr-xr-x  1 root  wheel  - 3553557 Jun  1 16:24 /boot/kernel/kernel
> #
>
> Odd, no? Is there a new sysctl(8) directive that I'm missing? Maybe  
> its a bug that's been fixed since Apr. 6th.
>
> Thanks,
>
> -rory
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?781BFFBC-9478-11D7-B397-000502D78289>