Differential D53171

bsdinstall: Harden reading the kernel message buffer
Needs ReviewPublic
Actions

Authored by jlduran on Oct 17 2025, 4:40 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Mar 2, 4:35 AM

	Unknown Object (File)
	Mon, Mar 2, 4:32 AM

	Unknown Object (File)
	Thu, Feb 26, 7:07 PM

	Unknown Object (File)
	Tue, Feb 17, 10:57 AM

	Unknown Object (File)
	Sun, Feb 15, 11:00 PM

	Unknown Object (File)
	Mon, Feb 9, 10:24 AM

	Unknown Object (File)
	Jan 30 2026, 5:21 PM

	Unknown Object (File)
	Jan 10 2026, 3:59 PM

View All 31 Files

Subscribers

Details

Reviewers

Group Reviewers

Summary

When choosing the option to harden reading the kernel message buffer by
an unprivileged user in bsdinstall, access to the kernel message buffer
is restricted via its sysctl (security.bsd.unprivileged_read_msgbuf=0).

In order for this setting to be effective, access to this data via
system logs must also be restricted. Add the necessary hooks to
restrict access to the log files:

/var/log/messages
/var/run/dmesg.boot ($dmesg_file)

PR: 272552

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 67875
Build 64758: arc lint + arc unit

Event Timeline

jlduran created this revision.Oct 17 2025, 4:40 PM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptOct 17 2025, 4:40 PM

jlduran requested review of this revision.Oct 17 2025, 4:40 PM

Harbormaster completed remote builds in B67875: Diff 164428.Oct 17 2025, 4:40 PM

jlduran added a parent revision: D53170: bsdinstall: Fix typos.Oct 17 2025, 4:40 PM

jlduran edited the summary of this revision. (Show Details)Oct 17 2025, 5:34 PM

jlduran added a reviewer: emaste.Oct 17 2025, 6:52 PM

jlduran added a reviewer: security.Oct 22 2025, 7:30 PM

Revision Contents
Changeset List

Path

Size

usr.sbin/

bsdinstall/

scripts/

6 lines

3 lines

Diff 164428

usr.sbin/bsdinstall/scripts/config

Loading...

usr.sbin/bsdinstall/scripts/hardening

Loading...