From owner-freebsd-security  Sat Sep  6 10:50:06 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA24630
          for security-outgoing; Sat, 6 Sep 1997 10:50:06 -0700 (PDT)
Received: from kithrup.com (kithrup.com [205.179.156.40])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA24625
          for <security@freebsd.org>; Sat, 6 Sep 1997 10:50:02 -0700 (PDT)
Received: (from sef@localhost) by kithrup.com (8.8.5/8.6.6) id KAA25203; Sat, 6 Sep 1997 10:49:05 -0700 (PDT)
Date: Sat, 6 Sep 1997 10:49:05 -0700 (PDT)
From: Sean Eric Fagan <sef@Kithrup.COM>
Message-Id: <199709061749.KAA25203@kithrup.com>
To: brian@firehouse.net
Subject: Re: procfs take II
Newsgroups: kithrup.freebsd.security
In-Reply-To: <Pine.NEB.3.96.970906024915.163A-100000.kithrup.freebsd.security@apocalypse.saturn.net>
Organization: Kithrup Enterprises, Ltd.
Cc: security@freebsd.org
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In article <Pine.NEB.3.96.970906024915.163A-100000.kithrup.freebsd.security@apocalypse.saturn.net> you write:
>Here is a simple patch, it disallows writes to pid 1's mem node if
>securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix
>applied):

Insufficient -- PTRACE_ATTACH allows the same hole.

Also, the only place that kind of change really needs to go is in
procfs_open(), when the file is originally opened.  If securelevel > 0, then
init should be read-only (or not even readable at all).  A more general way
of doing this should be provided, I think, rather than special-casing pid 1.

Sean.