Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the system state, including sensitive data such as
However, having some access to debugger functionality on production
systems may be useful in determining the cause of a panic or hang.
Therefore, it is desirable to have an optional policy which allows
limited use of ddb(4) while disabling the functionality which could
reveal system secrets.
This loadable MAC module provides allow-lists for some ddb(4) commands
while preventing the execution of others. The commands have been broadly
grouped into three categories:
- Those which are 'safe' and will not emit sensitive data (e.g. backtrace). Generally, these commands are deterministic and don't accept arguments.
- Those which are definitively unsafe (e.g. examine <addr>, search <addr> <value>)
- Commands which may be safe to execute depending on the arguments provided (e.g. show proc <addr>).
Safe commands will be flagged as such and their execution allowed, while
all unrecognized commands will be prevented from executing.
Commands requiring extra validation can provide a function to do so.
For example, 'show proc <addr>' can be used as long as addr can be
checked against the system's list of process structures. The machinery
for this validation is added in this patch while some simple validation
functions will be added in the next.
The policy also prevents debugger backends other than ddb(4) from
executing, for example gdb(4).
TODO: man page