From owner-freebsd-security  Sat Aug 30 06:08:07 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id GAA17000
          for security-outgoing; Sat, 30 Aug 1997 06:08:07 -0700 (PDT)
Received: from apocalypse.saturn.net (user1245@apocalypse.saturn.net [208.192.215.27])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA16985
          for <freebsd-security@freebsd.org>; Sat, 30 Aug 1997 06:07:58 -0700 (PDT)
Received: from localhost (brian@localhost)
	by apocalypse.saturn.net (8.8.5/8.8.5) with SMTP id JAA00268
	for <freebsd-security@freebsd.org>; Sat, 30 Aug 1997 09:06:21 -0400 (EDT)
Date: Sat, 30 Aug 1997 09:06:19 -0400 (EDT)
From: Brian Mitchell <brian@firehouse.net>
To: freebsd-security@freebsd.org
Subject: DDB/securelevel
Message-ID: <Pine.NEB.3.96.970830090503.263A-100000@apocalypse.saturn.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

DDB is the kernel debugger. It lets you debug the kernel upon a
panic or when you wish to enter it via a key sequence on the
console. There appears to be a slight problem though, you can
use DDB to lower the securelevel of the system. The following
shows one example:

# sysctl -w kern.securelevel=10
kern.securelevel: 0 -> 10
# Debugger("manual escape to debugger")
Stopped at      _Debugger+0x35: movb    $0,_in_Debugger.118
db> write securelevel 0
_securelevel                 0xa        =              0
db> cont

# sysctl kern.securelevel
kern.securelevel: 0
#

The most straightforward solution to this is to simply not allow
DDB to be run when securelevel > 0. Enclosed is a simple patch 
against 2.2.1 to do this.


*** i386/i386/db_interface.c	Sat Aug 30 08:57:36 1997
--- i386/i386/db_interface.c.new	Sat Aug 30 09:00:43 1997
***************
*** 241,246 ****
--- 241,256 ----
  
  	/*
  	 * XXX
+ 	 * Do nothing if the securelevel is > 0. The justification 
+ 	 * being that DDB can be used to lower the securelevel, so
+ 	 * if we run > 0, we should not be able to run DDB at all.
+ 	 * Modifying DDB to be securelevel friendly is not an option.
+ 	 */
+ 	if(securelevel > 0)
+ 		return;
+ 
+ 	/*
+ 	 * XXX
  	 * Do nothing if the console is in graphics mode.  This is
  	 * OK if the call is for the debugger hotkey but not if the call
  	 * is a weak form of panicing.

Brian Mitchell                                  brian@firehouse.net
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt (OpenBSD President)