Date: Mon, 16 Jun 2008 20:44:33 +0400 From: Stanislav Sedov <stas@FreeBSD.org> To: Coleman Kane <cokane@FreeBSD.org> Cc: Rui Paulo <rpaulo@FreeBSD.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, kib@FreeBSD.org, current@FreeBSD.org, Peter Jeremy <peterjeremy@optushome.com.au> Subject: Re: cpuctl(formely devcpu) patch test request Message-ID: <20080616204433.48ad9879.stas@FreeBSD.org> In-Reply-To: <1213557999.1816.15.camel@localhost> References: <20080606020927.8d6675e1.stas@FreeBSD.org> <10261.1212703949@critter.freebsd.dk> <20080606025533.8322ee08.stas@FreeBSD.org> <1212758604.1904.33.camel@localhost> <20080615230250.7f3efae4.stas@FreeBSD.org> <1213557999.1816.15.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--Signature=_Mon__16_Jun_2008_20_44_33_+0400_t5WOgZ14+nLgCkW_ Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 15 Jun 2008 15:26:39 -0400 Coleman Kane <cokane@FreeBSD.org> mentioned: > I think the anti-foot-shooting measures referred to above were also > taking into consideration for security reasons. It might be valuable for > someone to be able to configure this feature to be rdmsr-only, thereby > limiting potential harm vectors in the event that an attacker is likely > to crack access to the system for supervisory privileges. This would be > a legitimate consideration to make, especially so that the module could > at least provide a sane "safe operating mode" to those that would > benefit from read-only access. >=20 > So, for example, I would consider most crackers to be skilled enough to > inject an ioctl call somewhere, even if the primary user of the system > is not so skilled., but they want to use software written by others that > makes use of this interface. On the other hand, providing extra security levels via sysctl looks slightly overkill to me, as if the attacker would be able to issue a ioctl call somewhere it would be easy to him to make a sysctl call as well. Priv(9) checks and/or securelevels could be used to limit the usage of this functionality. Furthermore, there're a lot of other possible ways to execure an msr instructions, including loading your own simple kernel object. --=20 Stanislav Sedov ST4096-RIPE --Signature=_Mon__16_Jun_2008_20_44_33_+0400_t5WOgZ14+nLgCkW_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhWmHYACgkQK/VZk+smlYFfHgCeOqCloM7L7vN1ggAkaJYEGJ5m cMQAn0zVTJaK1T9cP3Tou2Vj+Loq68J+ =fSN7 -----END PGP SIGNATURE----- --Signature=_Mon__16_Jun_2008_20_44_33_+0400_t5WOgZ14+nLgCkW_--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080616204433.48ad9879.stas>