1.\" $NetBSD: secmodel_securelevel.9,v 1.1 2007/11/21 22:49:06 elad Exp $ 2.\" 3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd November 21, 2007 29.Dt SECMODEL_BSD44 9 30.Os 31.Sh NAME 32.Nm secmodel_bsd44 33.Nd traditional 34.Nx 35security model (based on 36.Bx 4.4 ) 37.Sh DESCRIPTION 38The securelevel mechanism is intended to allow protecting the persistance 39of code and data on the system, or a subset thereof, from modification, even 40by the super-user, by providing convenient means of 41.Dq locking down 42a system to a degree suited to its environment. 43.Pp 44The super-user can raise the securelevel using 45.Xr sysctl 8 , 46but only 47.Xr init 8 48can lower it. 49.Pp 50.Nm 51provides four levels of securelevel, defined as follows: 52.Bl -tag -width flag 53.It \&-1 Em Permanently insecure mode 54.Bl -hyphen -compact 55.It 56Don't raise the securelevel on boot 57.El 58.It \ 0 Em Insecure mode 59.Bl -hyphen -compact 60.It 61The init process (PID 1) may not be traced or accessed by 62.Xr ptrace 2 , 63.Xr systrace 4 , 64or procfs. 65.It 66Immutable and append-only file flags may be changed 67.It 68All devices may be read or written subject to their permissions 69.El 70.It \ 1 Em Secure mode 71.Bl -hyphen -compact 72.It 73All effects of securelevel 0 74.It 75.Pa /dev/mem 76and 77.Pa /dev/kmem 78may not be written to 79.It 80Raw disk devices of mounted file systems are read-only 81.It 82Immutable and append-only file flags may not be removed 83.It 84Kernel modules may not be loaded or unloaded 85.It 86The 87.Va net.inet.ip.sourceroute 88.Xr sysctl 8 89variable may not be changed 90.It 91Adding or removing 92.Xr sysctl 9 93nodes is denied 94.It 95The RTC offset may not be changed 96.It 97Set-id coredump settings may not be altered 98.It 99Attaching the IP-based kernel debugger, 100.Xr ipkdb 4 , 101is not allowed 102.It 103Device 104.Dq pass-thru 105requests that may be used to perform raw disk and/or memory access are denied 106.It 107.Em iopl 108and 109.Em ioperm 110calls are denied 111.It 112Access to unmanaged memory is denied 113.El 114.It \ 2 Em Highly secure mode 115.Bl -hyphen -compact 116.It 117All effects of securelevel 1 118.It 119Raw disk devices are always read-only whether mounted or not 120.It 121New disks may not be mounted, and existing mounts may only be downgraded 122from read-write to read-only 123.It 124The system clock may not be set backwards or close to overflow 125.It 126Per-process coredump name may not be changed 127.It 128Packet filtering and NAT rules may not be altered 129.El 130.El 131.Pp 132Highly secure mode may seem Draconian, but is intended as a last line of 133defence should the superuser account be compromised. 134Its effects preclude 135circumvention of file flags by direct modification of a raw disk device, 136or erasure of a file system by means of 137.Xr newfs 8 . 138Further, it can limit the potential damage of a compromised 139.Dq firewall 140by prohibiting the modification of packet filter rules. 141Preventing 142the system clock from being set backwards aids in post-mortem analysis 143and helps ensure the integrity of logs. 144Precision timekeeping is not 145affected because the clock may still be slowed. 146.Pp 147Normally, the system runs in securelevel 0 while single-user and in 148securelevel 1 while multi-user. 149If a higher securelevel is desired while running multi-user, 150it can be set using the 151.Em securelevel 152keyword in the startup script 153.Pa /etc/rc.conf , 154see 155.Xr rc.conf 5 156for details. 157Lower securelevels require the kernel to be compiled with 158.Sy options INSECURE , 159causing it to always default to securelevel \-1. 160.Pp 161In order for this protection to be effective, the administrator 162must ensure that no program that is run while the security level 163is 0 or lower, nor any data or configuration file used by any such 164program, can be modified while the security level is greater than 1650. 166This may be achieved through the careful use of the 167.Dq immutable 168file flag to define and protect a Trusted Computing Base (TCB) 169consisting of all such programs and data, or by ensuring that all 170such programs and data are on filesystems that are mounted read-only 171and running at security level 2 or higher. 172.Em Particular care must be taken to ensure, if relying upon 173.Em security level 1 and the use of file flags, that the integrity of the 174.Em TCB cannot be compromised through the use of modifications to the 175.Em disklabel or access to overlapping disk partitions, including the 176.Em raw partition . 177.Pp 178Do not overlook the fact that shell scripts (or anything else fed to an 179interpreter, through any mechanism) and the kernel itself are "programs 180that run while the security level is 0" and must be considered part of 181the TCB. 182.Sh SEE ALSO 183.Xr kauth 9 , 184.Xr secmodel 9 , 185.Xr secmodel_bsd44 186.Sh AUTHORS 187.An Elad Efrat Aq elad@NetBSD.org 188.Sh BUGS 189Systems without 190.Xr sysctl 8 191behave as though they have security level \-1. 192.Pp 193The security level 2 restrictions relating to TCB integrity protection 194should be enforced at security level 1. 195Restrictions dependent upon security level but not relating to TCB 196integrity protection should be selected by 197.Xr sysctl 8 198settings available only at security level 0 or lower. 199