Differential D53171

bsdinstall: Harden reading the kernel message buffer
Needs ReviewPublic
Actions

Authored by jlduran on Oct 17 2025, 4:40 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Fri, Dec 12, 1:15 PM

	Unknown Object (File)
	Tue, Nov 25, 4:42 PM

	Unknown Object (File)
	Nov 6 2025, 4:06 AM

	Unknown Object (File)
	Oct 31 2025, 10:46 AM

	Unknown Object (File)
	Oct 29 2025, 4:55 PM

	Unknown Object (File)
	Oct 29 2025, 9:40 AM

	Unknown Object (File)
	Oct 29 2025, 8:44 AM

	Unknown Object (File)
	Oct 28 2025, 2:45 PM

View All 21 Files

Subscribers

Details

Reviewers

Group Reviewers

Summary

When choosing the option to harden reading the kernel message buffer by
an unprivileged user in bsdinstall, access to the kernel message buffer
is restricted via its sysctl (security.bsd.unprivileged_read_msgbuf=0).

In order for this setting to be effective, access to this data via
system logs must also be restricted. Add the necessary hooks to
restrict access to the log files:

/var/log/messages
/var/run/dmesg.boot ($dmesg_file)

PR: 272552

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 67875
Build 64758: arc lint + arc unit

Event Timeline

jlduran created this revision.Oct 17 2025, 4:40 PM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptOct 17 2025, 4:40 PM

jlduran requested review of this revision.Oct 17 2025, 4:40 PM

Harbormaster completed remote builds in B67875: Diff 164428.Oct 17 2025, 4:40 PM

jlduran added a parent revision: D53170: bsdinstall: Fix typos.Oct 17 2025, 4:40 PM

jlduran edited the summary of this revision. (Show Details)Oct 17 2025, 5:34 PM

jlduran added a reviewer: emaste.Oct 17 2025, 6:52 PM

jlduran added a reviewer: security.Oct 22 2025, 7:30 PM

Revision Contents
Changeset List

Path

Size

usr.sbin/

bsdinstall/

scripts/

6 lines

3 lines

Diff 164428

usr.sbin/bsdinstall/scripts/config

Loading...

usr.sbin/bsdinstall/scripts/hardening

Loading...