upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-22 17:32:57 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/security/mac
History
Mark Johnston cab1056105 kdb: Modify securelevel policy 
Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel, see commit 3d7618d8bf.  However, the newer mac_ddb(4)
restricts DDB operations which could be abused to lower securelevel
while retaining some ability to gather useful debugging information.

To enable the use of KDB (specifically, DDB) on systems with a raised
securelevel, change the KDB sysctl policy: rather than relying on
CTLFLAG_SECURE, add a check of the current securelevel to kdb_trap().
If the securelevel is raised, only pass control to the backend if MAC
specifically grants access; otherwise simply check to see if mac_ddb
vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour.  That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Reviewed by:	mhorne, stevek
MFC after:	1 month
Sponsored by:	Juniper Networks
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D37122
2023-03-30 10:45:00 -04:00
..
mac_audit.c
mac_cred.c
mac_framework.c mac: cheaper check for mac_pipe_check_read 2022-08-17 14:21:25 +00:00
mac_framework.h kdb: Modify securelevel policy 2023-03-30 10:45:00 -04:00
mac_inet.c IfAPI: Add if_get/setmaclabel() and use it. 2023-01-31 15:02:15 -05:00
mac_inet6.c IfAPI: Add if_get/setmaclabel() and use it. 2023-01-31 15:02:15 -05:00
mac_internal.h security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_kdb.c kdb: Modify securelevel policy 2023-03-30 10:45:00 -04:00
mac_label.c security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
mac_net.c IfAPI: Add if_get/setmaclabel() and use it. 2023-01-31 15:02:15 -05:00
mac_pipe.c mac: cheaper check for mac_pipe_check_read 2022-08-17 14:21:25 +00:00
mac_policy.h Bump MAC_VERSION to 5 2022-10-07 15:24:32 +00:00
mac_posix_sem.c
mac_posix_shm.c
mac_priv.c mac: implement fast path for checks 2020-02-13 22:19:17 +00:00
mac_process.c vfs: drop the mostly unused flags argument from VOP_UNLOCK 2020-01-03 22:29:58 +00:00
mac_socket.c protosw: refactor protosw and domain static declaration and load 2022-08-17 11:50:32 -07:00
mac_syscalls.c vfs: stop using NDFREE 2022-12-19 08:07:23 +00:00
mac_system.c
mac_sysv_msg.c
mac_sysv_sem.c
mac_sysv_shm.c
mac_vfs.c Add a comment on why the call to mac_vnode_relabel() might be in the wrong 2021-02-27 16:25:26 +00:00