1.\" $NetBSD: secmodel_securelevel.9,v 1.7 2009/10/02 20:31:19 elad Exp $ 2.\" 3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 4.\" Copyright (c) 2000 Hugh Graham 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. The name of the author may not be used to endorse or promote products 16.\" derived from this software without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd July 10, 2009 30.Dt SECMODEL_SECURELEVEL 9 31.Os 32.Sh NAME 33.Nm secmodel_securelevel 34.Nd securelevel security model 35.Sh DESCRIPTION 36The securelevel mechanism is intended to allow protecting the persistence 37of code and data on the system, or a subset thereof, from modification, even 38by the super-user, by providing convenient means of 39.Dq locking down 40a system to a degree suited to its environment. 41.Pp 42The super-user can raise the securelevel using 43.Xr sysctl 8 , 44but only 45.Xr init 8 46can lower it. 47.Pp 48.Nm 49provides four levels of securelevel, defined as follows: 50.Bl -tag -width flag 51.It \&-1 Em Permanently insecure mode 52.Bl -hyphen -compact 53.It 54Don't raise the securelevel on boot 55.El 56.It \ 0 Em Insecure mode 57.Bl -hyphen -compact 58.It 59The init process (PID 1) may not be traced or accessed by 60.Xr ptrace 2 61or procfs. 62.It 63Immutable and append-only file flags may be changed 64.It 65All devices may be read or written subject to their permissions 66.It 67GPIO pins can be set and device drivers can be attached to them 68.El 69.It \ 1 Em Secure mode 70.Bl -hyphen -compact 71.It 72All effects of securelevel 0 73.It 74.Pa /dev/mem 75and 76.Pa /dev/kmem 77may not be written to 78.It 79Raw disk devices of mounted file systems are read-only 80.It 81Immutable and append-only file flags may not be removed 82.It 83Kernel modules may not be loaded or unloaded 84.It 85The 86.Va net.inet.ip.sourceroute 87.Xr sysctl 8 88variable may not be changed 89.It 90Adding or removing 91.Xr sysctl 9 92nodes is denied 93.It 94The RTC offset may not be changed 95.It 96Set-id coredump settings may not be altered 97.It 98Attaching the IP-based kernel debugger, 99.Xr ipkdb 4 , 100is not allowed 101.It 102Device 103.Dq pass-thru 104requests that may be used to perform raw disk and/or memory access are denied 105.It 106.Em iopl 107and 108.Em ioperm 109calls are denied 110.It 111Access to unmanaged memory is denied 112.It 113Only GPIO pins that have been set at securelevel 0 can be accessed 114.El 115.It \ 2 Em Highly secure mode 116.Bl -hyphen -compact 117.It 118All effects of securelevel 1 119.It 120Raw disk devices are always read-only whether mounted or not 121.It 122New disks may not be mounted, and existing mounts may only be downgraded 123from read-write to read-only 124.It 125The system clock may not be set backwards or close to overflow 126.It 127Per-process coredump name may not be changed 128.It 129Packet filtering and NAT rules may not be altered 130.El 131.El 132.Pp 133Highly secure mode may seem Draconian, but is intended as a last line of 134defence should the superuser account be compromised. 135Its effects preclude 136circumvention of file flags by direct modification of a raw disk device, 137or erasure of a file system by means of 138.Xr newfs 8 . 139Further, it can limit the potential damage of a compromised 140.Dq firewall 141by prohibiting the modification of packet filter rules. 142Preventing 143the system clock from being set backwards aids in post-mortem analysis 144and helps ensure the integrity of logs. 145Precision timekeeping is not 146affected because the clock may still be slowed. 147.Pp 148Normally, the system runs in securelevel 0 while single-user and in 149securelevel 1 while multi-user. 150If a higher securelevel is desired while running multi-user, 151it can be set using the 152.Em securelevel 153keyword in the startup script 154.Pa /etc/rc.conf , 155see 156.Xr rc.conf 5 157for details. 158Lower securelevels require the kernel to be compiled with 159.Sy options INSECURE , 160causing it to always default to securelevel \-1. 161.Pp 162In order for this protection to be effective, the administrator 163must ensure that no program that is run while the security level 164is 0 or lower, nor any data or configuration file used by any such 165program, can be modified while the security level is greater than 1660. 167This may be achieved through the careful use of the 168.Dq immutable 169file flag to define and protect a Trusted Computing Base (TCB) 170consisting of all such programs and data, or by ensuring that all 171such programs and data are on filesystems that are mounted read-only 172and running at security level 2 or higher. 173.Em Particular care must be taken to ensure, if relying upon 174.Em security level 1 and the use of file flags, that the integrity of the 175.Em TCB cannot be compromised through the use of modifications to the 176.Em disklabel or access to overlapping disk partitions, including the 177.Em raw partition . 178.Pp 179Do not overlook the fact that shell scripts (or anything else fed to an 180interpreter, through any mechanism) and the kernel itself are "programs 181that run while the security level is 0" and must be considered part of 182the TCB. 183.Pp 184The following 185.Xr sysctl 3 186variables are exported: 187.Bl -tag -width compact 188.It security.models.securelevel.securelevel 189The system security level. 190This level may be raised by processes with appropriate privilege. 191It may only be lowered by process 1 (init). 192.El 193.Sh SEE ALSO 194.Xr kauth 9 , 195.Xr secmodel 9 , 196.Xr secmodel_bsd44 9 197.Sh AUTHORS 198.An Elad Efrat Aq elad@NetBSD.org 199.Sh BUGS 200Systems without 201.Xr sysctl 8 202behave as though they have security level \-1. 203.Pp 204The security level 2 restrictions relating to TCB integrity protection 205should be enforced at security level 1. 206Restrictions dependent upon security level but not relating to TCB 207integrity protection should be selected by 208.Xr sysctl 8 209settings available only at security level 0 or lower. 210