kdb: Modify securelevel policy
ClosedPublic
Actions

Authored by markj on Oct 25 2022, 6:09 PM.

Details

Reviewers

stevek
mhorne

Commits

rGcab1056105e3: kdb: Modify securelevel policy

Summary

Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel. However, mac_ddb prohibits DDB operations which could be
abused to lower securelevel while retaining some ability to gather
useful information.

To enable the use of KDB (specifically, DDB) with a raised securelevel,
change the policy a bit following a suggestion from mhorne. Rather than
relying on CTLFLAG_SECURE, add a check of the current securelevel to
kdb_trap(). If the securelevel is raised, only pass control to the
backend if MAC specifically grants access; otherwise simply check to see
if mac_ddb vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour. That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Oct 25 2022, 6:09 PM

Herald added a subscriber: imp. · View Herald TranscriptOct 25 2022, 6:09 PM

markj requested review of this revision.Oct 25 2022, 6:09 PM

Harbormaster completed remote builds in B47991: Diff 112193.Oct 25 2022, 6:09 PM

D37106 implements the alternate approach.

One nit, but this looks great.

One thing to clarify: a jailed process is still unable to modify these sysctls, regardless of the securelevels of the jail and the whole system, yes?

sys/kern/subr_kdb.c
769–770	Need to drop this `#ifdef` now.
sys/security/mac/mac_kdb.c
47	ahhh now I see :)

This revision is now accepted and ready to land.Oct 25 2022, 6:38 PM

Regarding documentation, you might need to tweak the securelevel description in security(7), and/or add a paragraph about "interaction with securelevel" to mac_ddb(4).