Differential D53171

bsdinstall: Harden reading the kernel message buffer
Needs ReviewPublic
Actions

Authored by jlduran on Fri, Oct 17, 4:40 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Nov 6, 4:06 AM

	Unknown Object (File)
	Fri, Oct 31, 10:46 AM

	Unknown Object (File)
	Wed, Oct 29, 4:55 PM

	Unknown Object (File)
	Wed, Oct 29, 9:40 AM

	Unknown Object (File)
	Wed, Oct 29, 8:44 AM

	Unknown Object (File)
	Tue, Oct 28, 2:45 PM

	Unknown Object (File)
	Sat, Oct 25, 6:06 PM

	Unknown Object (File)
	Sat, Oct 25, 6:06 PM

View All 19 Files

Subscribers

Details

Reviewers

Group Reviewers

Summary

When choosing the option to harden reading the kernel message buffer by
an unprivileged user in bsdinstall, access to the kernel message buffer
is restricted via its sysctl (security.bsd.unprivileged_read_msgbuf=0).

In order for this setting to be effective, access to this data via
system logs must also be restricted. Add the necessary hooks to
restrict access to the log files:

/var/log/messages
/var/run/dmesg.boot ($dmesg_file)

PR: 272552

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 67875
Build 64758: arc lint + arc unit

Event Timeline

jlduran created this revision.Fri, Oct 17, 4:40 PM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptFri, Oct 17, 4:40 PM

jlduran requested review of this revision.Fri, Oct 17, 4:40 PM

Harbormaster completed remote builds in B67875: Diff 164428.Fri, Oct 17, 4:40 PM

jlduran added a parent revision: D53170: bsdinstall: Fix typos.Fri, Oct 17, 4:40 PM

jlduran edited the summary of this revision. (Show Details)Fri, Oct 17, 5:34 PM

jlduran added a reviewer: emaste.Fri, Oct 17, 6:52 PM

jlduran added a reviewer: security.Wed, Oct 22, 7:30 PM

Revision Contents
Changeset List

Path

Size

usr.sbin/

bsdinstall/

scripts/

6 lines

3 lines

Diff 164428

usr.sbin/bsdinstall/scripts/config

Loading...

usr.sbin/bsdinstall/scripts/hardening

Loading...