diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 29, 2022 +.Dd March 30, 2023 .Dt SECURITY 7 .Os .Sh NAME @@ -537,7 +537,10 @@ may not be loaded or unloaded. The kernel debugger may not be entered using the .Va debug.kdb.enter -sysctl. +sysctl unless a +.Xr MAC 9 +policy grants access, for example using +.Xr mac_ddb 4 . A panic or trap cannot be forced using the .Va debug.kdb.panic , .Va debug.kdb.panic_str diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -129,18 +129,18 @@ int debugger_on_panic = 1; #endif SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_panic, 0, "Run debugger on kernel panic"); + CTLFLAG_RWTUN, &debugger_on_panic, 0, + "Run debugger on kernel panic"); static bool debugger_on_recursive_panic = false; SYSCTL_BOOL(_debug, OID_AUTO, debugger_on_recursive_panic, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_recursive_panic, 0, "Run debugger on recursive kernel panic"); + CTLFLAG_RWTUN, &debugger_on_recursive_panic, 0, + "Run debugger on recursive kernel panic"); int debugger_on_trap = 0; SYSCTL_INT(_debug, OID_AUTO, debugger_on_trap, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_trap, 0, "Run debugger on kernel trap before panic"); + CTLFLAG_RWTUN, &debugger_on_trap, 0, + "Run debugger on kernel trap before panic"); #ifdef KDB_TRACE static int trace_on_panic = 1; diff --git a/sys/kern/subr_kdb.c b/sys/kern/subr_kdb.c --- a/sys/kern/subr_kdb.c +++ b/sys/kern/subr_kdb.c @@ -77,6 +77,7 @@ static int kdb_break_to_debugger = KDB_BREAK_TO_DEBUGGER; static int kdb_alt_break_to_debugger = KDB_ALT_BREAK_TO_DEBUGGER; +static int kdb_enter_securelevel = 0; KDB_BACKEND(null, NULL, NULL, NULL, NULL); @@ -103,7 +104,7 @@ "currently selected KDB backend"); SYSCTL_PROC(_debug_kdb, OID_AUTO, enter, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_MPSAFE, NULL, 0, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, 0, kdb_sysctl_enter, "I", "set to enter the debugger"); @@ -133,13 +134,18 @@ "set to cause a stack overflow"); SYSCTL_INT(_debug_kdb, OID_AUTO, break_to_debugger, - CTLFLAG_RWTUN | CTLFLAG_SECURE, + CTLFLAG_RWTUN, &kdb_break_to_debugger, 0, "Enable break to debugger"); SYSCTL_INT(_debug_kdb, OID_AUTO, alt_break_to_debugger, - CTLFLAG_RWTUN | CTLFLAG_SECURE, + CTLFLAG_RWTUN, &kdb_alt_break_to_debugger, 0, "Enable alternative break to debugger"); +SYSCTL_INT(_debug_kdb, OID_AUTO, enter_securelevel, + CTLFLAG_RWTUN | CTLFLAG_SECURE, + &kdb_enter_securelevel, 0, + "Maximum securelevel to enter a KDB backend"); + /* * Flag to indicate to debuggers why the debugger was entered. */ @@ -489,6 +495,34 @@ return (EINVAL); } +static bool +kdb_backend_permitted(struct kdb_dbbe *be, struct ucred *cred) +{ + int error; + + error = securelevel_gt(cred, kdb_enter_securelevel); +#ifdef MAC + /* + * Give MAC a chance to weigh in on the policy: if the securelevel is + * not raised, then MAC may veto the backend, otherwise MAC may + * explicitly grant access. + */ + if (error == 0) { + error = mac_kdb_check_backend(be); + if (error != 0) { + printf("MAC prevented execution of KDB backend: %s\n", + be->dbbe_name); + return (false); + } + } else if (mac_kdb_grant_backend(be) == 0) { + error = 0; + } +#endif + if (error != 0) + printf("refusing to enter KDB with elevated securelevel\n"); + return (error == 0); +} + /* * Enter the currently selected debugger. If a message has been provided, * it is printed first. If the debugger does not support the enter method, @@ -733,15 +767,11 @@ cngrab(); for (;;) { -#ifdef MAC - if (mac_kdb_check_backend(be) != 0) { - printf("MAC prevented execution of KDB backend: %s\n", - be->dbbe_name); + if (!kdb_backend_permitted(be, curthread->td_ucred)) { /* Unhandled breakpoint traps are fatal. */ handled = 1; break; } -#endif handled = be->dbbe_trap(type, code); if (be == kdb_dbbe) break; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -214,6 +214,7 @@ void mac_ipq_update(struct mbuf *m, struct ipq *q); int mac_kdb_check_backend(struct kdb_dbbe *be); +int mac_kdb_grant_backend(struct kdb_dbbe *be); int mac_kenv_check_dump(struct ucred *cred); int mac_kenv_check_get(struct ucred *cred, char *name); diff --git a/sys/security/mac/mac_kdb.c b/sys/security/mac/mac_kdb.c --- a/sys/security/mac/mac_kdb.c +++ b/sys/security/mac/mac_kdb.c @@ -39,6 +39,15 @@ #include #include +int +mac_kdb_grant_backend(struct kdb_dbbe *be) +{ + int error = 0; + + MAC_POLICY_GRANT_NOSLEEP(kdb_check_backend, be); + return (error); +} + int mac_kdb_check_backend(struct kdb_dbbe *be) {