Page MenuHomeFreeBSD
Differential D53171

bsdinstall: Harden reading the kernel message buffer
Needs ReviewPublic
Actions

Authored by jlduran on Oct 17 2025, 4:40 PM.
Tags
None
Referenced Files
F144546032: D53171.diff
Mon, Feb 9, 10:24 AM
Unknown Object (File)
Fri, Jan 30, 5:21 PM
Unknown Object (File)
Jan 10 2026, 3:59 PM
Unknown Object (File)
Jan 10 2026, 3:59 PM
Unknown Object (File)
Dec 21 2025, 7:05 AM
Unknown Object (File)
Dec 12 2025, 1:15 PM
Unknown Object (File)
Nov 25 2025, 4:42 PM
Unknown Object (File)
Nov 6 2025, 4:06 AM
View All 26 Files
Subscribers
imp
jrtc27

Details

Reviewers
emaste
Group Reviewers
security
Summary

When choosing the option to harden reading the kernel message buffer by
an unprivileged user in bsdinstall, access to the kernel message buffer
is restricted via its sysctl (security.bsd.unprivileged_read_msgbuf=0).

In order for this setting to be effective, access to this data via
system logs must also be restricted. Add the necessary hooks to
restrict access to the log files:

  • /var/log/messages
  • /var/run/dmesg.boot ($dmesg_file)

PR: 272552

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 67875
Build 64758: arc lint + arc unit

Revision Contents
Changeset List

PathSize
usr.sbin/
bsdinstall/
scripts/
6 lines
3 lines

Diff 164428

View Options

usr.sbin/bsdinstall/scripts/config

Loading...
View Options

usr.sbin/bsdinstall/scripts/hardening

Loading...