Differential D53171

bsdinstall: Harden reading the kernel message buffer
Needs ReviewPublic
Actions

Authored by jlduran on Fri, Oct 17, 4:40 PM.

Tags

None

Referenced Files

	F132591184: D53171.id164428.diff
	Sat, Oct 18, 5:55 AM

	F132564195: D53171.id.diff
	Sat, Oct 18, 12:33 AM

	F132546061: D53171.id164428.diff
	Fri, Oct 17, 9:04 PM

	F132542605: D53171.diff
	Fri, Oct 17, 8:16 PM

	F132537236: D53171.id.diff
	Fri, Oct 17, 7:05 PM

	F132535110: D53171.diff
	Fri, Oct 17, 6:38 PM

	Unknown Object (File)
	Fri, Oct 17, 6:31 PM

Subscribers

Details

Reviewers

Summary

When choosing the option to harden reading the kernel message buffer by
an unprivileged user in bsdinstall, access to the kernel message buffer
is restricted via its sysctl (security.bsd.unprivileged_read_msgbuf=0).

In order for this setting to be effective, access to this data via
system logs must also be restricted. Add the necessary hooks to
restrict access to the log files:

/var/log/messages
/var/run/dmesg.boot ($dmesg_file)

PR: 272552

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 67875
Build 64758: arc lint + arc unit

Event Timeline

jlduran created this revision.Fri, Oct 17, 4:40 PM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptFri, Oct 17, 4:40 PM

jlduran requested review of this revision.Fri, Oct 17, 4:40 PM

Harbormaster completed remote builds in B67875: Diff 164428.Fri, Oct 17, 4:40 PM

jlduran added a parent revision: D53170: bsdinstall: Fix typos.Fri, Oct 17, 4:40 PM

jlduran edited the summary of this revision. (Show Details)Fri, Oct 17, 5:34 PM

jlduran added a reviewer: emaste.Fri, Oct 17, 6:52 PM

Revision Contents
Changeset List

Path

Size

usr.sbin/

bsdinstall/

scripts/

6 lines

3 lines

Diff 164428

usr.sbin/bsdinstall/scripts/config

Loading...

usr.sbin/bsdinstall/scripts/hardening

Loading...