1.\" $NetBSD: secmodel_securelevel.9,v 1.18 2018/07/15 05:16:41 maxv Exp $ 2.\" 3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 4.\" Copyright (c) 2000 Hugh Graham 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. The name of the author may not be used to endorse or promote products 16.\" derived from this software without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd July 14, 2018 30.Dt SECMODEL_SECURELEVEL 9 31.Os 32.Sh NAME 33.Nm secmodel_securelevel 34.Nd securelevel security model 35.Sh DESCRIPTION 36The securelevel mechanism is intended to allow protecting the persistence 37of code and data on the system, or a subset thereof, from modification, even 38by the 39.Em super-user , 40by providing convenient means of 41.Dq locking down 42a system to a degree suited to its environment. 43.Pp 44The 45.Em super-user 46can raise the 47.Em securelevel 48using 49.Xr sysctl 8 , 50but only 51.Xr init 8 52can lower it. 53.Pp 54Four security levels are provided: 55.Bl -tag -width flag 56.It \&-1 Em Permanently insecure mode 57.Bl -bullet 58.It 59Do not raise the 60.Em securelevel 61on boot. 62.El 63.It \ 0 Em Insecure mode 64.Bl -bullet 65.It 66The init process (PID 1) may not be traced or accessed by 67.Xr ptrace 2 68or procfs. 69.It 70Immutable and append-only file flags may be changed by 71.Xr chflags 1 72or by other means. 73.It 74All devices may be read or written subject to their permissions. 75.It 76All 77.Xr gpio 4 78pins can be set and device drivers can be attached to them. 79.It 80On architectures that support 81.Xr module 7 , 82kernel modules can be loaded and unloaded. 83.El 84.It \ 1 Em Secure mode 85.Bl -bullet 86.It 87All effects of 88.Em securelevel 890. 90.It 91The 92.Xr x86/kmem 4 93memory files 94.Pa /dev/mem 95and 96.Pa /dev/kmem 97may not be written to. 98.It 99Raw disk devices of mounted file systems are read-only. 100.It 101Immutable and append-only file flags may not be removed. 102.It 103Kernel modules may not be loaded or unloaded. 104.It 105Neither the 106.Va net.inet.ip.sourceroute 107nor the 108.Va vm.user_va0_disable 109.Xr sysctl 8 110variables may be changed. 111.It 112Adding or removing 113.Xr sysctl 9 114nodes is denied. 115.It 116The RTC offset may not be changed. 117.It 118Set-id coredump settings may not be altered. 119.It 120Device 121.Dq pass-thru 122requests that may be used to perform raw disk and/or memory access are denied. 123.It 124The 125.Em iopl 126and 127.Em ioperm 128calls are denied. 129.It 130Access to unmanaged memory is denied. 131.It 132Only GPIO pins that have been set at 133.Em securelevel 1340 can be accessed. 135.It 136SVS (Separate Virtual Space) may not be disabled on platforms that support it. 137.El 138.It \ 2 Em Highly secure mode 139.Bl -bullet 140.It 141All effects of 142.Em securelevel 1431. 144.It 145Raw disk devices are always read-only whether mounted or not. 146.It 147New disks may not be mounted, and existing mounts may only be downgraded 148from read-write to read-only. 149.It 150The system clock may not be set backwards or close to overflow. 151.It 152Per-process coredump name may not be changed. 153.It 154Packet filtering and NAT rules may not be altered. 155.It 156CPU ucode loading is denied on platforms that support it. 157.El 158.El 159.Pp 160Highly secure mode may seem Draconian, but is intended as a last line of 161defence should the 162.Em super-user 163account be compromised. 164Its effects preclude 165circumvention of file flags by direct modification of a raw disk device, 166or erasure of a file system by means of 167.Xr newfs 8 . 168Further, it can limit the potential damage of a compromised 169.Dq firewall 170by prohibiting the modification of packet filter rules. 171Preventing 172the system clock from being set backwards aids in post-mortem analysis 173and helps ensure the integrity of logs. 174Precision timekeeping is not 175affected because the clock may still be slowed. 176.Pp 177Normally, the system runs in 178.Em securelevel 1790 while single-user and in 180.Em securelevel 1811 while multi-user. 182If a higher 183.Em securelevel 184is desired while running multi-user, 185it can be set using the 186.Sy securelevel 187keyword in the startup script 188.Pa /etc/rc.conf , 189see 190.Xr rc.conf 5 191for details. 192Lower securelevels require the kernel to be compiled with 193.Sy options INSECURE , 194causing it to always default to 195.Em securelevel 196\-1. 197.Pp 198In order for this protection to be effective, the administrator 199must ensure that no program that is run while the security level 200is 0 or lower, nor any data or configuration file used by any such 201program, can be modified while the security level is greater than 2020. 203This may be achieved through the careful use of the 204.Dq immutable 205file flag to define and protect a Trusted Computing Base (TCB) 206consisting of all such programs and data, or by ensuring that all 207such programs and data are on filesystems that are mounted read-only 208and running at security level 2 or higher. 209.Em Particular care must be taken to ensure, if relying upon 210.Em security level 1 and the use of file flags, that the integrity of the 211.Em TCB cannot be compromised through the use of modifications to the 212.Em disklabel or access to overlapping disk partitions, including the 213.Em raw partition . 214.Pp 215Do not overlook the fact that shell scripts (or anything else fed to an 216interpreter, through any mechanism) and the kernel itself are "programs 217that run while the security level is 0" and must be considered part of 218the TCB. 219.Pp 220The following 221.Xr sysctl 3 222variables are exported: 223.Bl -tag -width compact 224.It security.models.securelevel.securelevel 225The system security level. 226This level may be raised by processes with appropriate privilege. 227It may only be lowered by process 1 (init). 228.El 229.Sh FUNCTIONS 230.Nm 231exposes a 232.Xr secmodel_eval 9 233evaluation routine 234to test whether the current 235.Em securelevel 236is above a certain threshold level or not. 237.Pp 238The parameters to 239.Xr secmodel_eval 9 240are: 241.Bl -tag -compact -width xxxxx 242.It id 243the unique identifier of 244.Nm : 245.Qo Dv org.netbsd.secmodel.securelevel Qc . 246.It what 247a string, 248.Qo Dv is-securelevel-above Qc . 249.It arg 250a reference to an 251.Dv int 252representing the threshold level. 253.It ret 254a boolean, set by 255.Nm 256to 257.Dv true 258when the 259.Em securelevel 260is strictly above 261the threshold level, 262.Dv false 263otherwise. 264.El 265.Sh RETURN TYPES 266If successful, the evaluation returns 0 with the 267.Fa ret 268argument being either 269.Dv true 270or 271.Dv false . 272.Sh SEE ALSO 273.Xr kauth 9 , 274.Xr secmodel 9 , 275.Xr secmodel_bsd44 9 , 276.Xr secmodel_eval 9 277.Sh AUTHORS 278.An Elad Efrat Aq Mt elad@NetBSD.org 279.Sh BUGS 280Systems without 281.Xr sysctl 8 282behave as though they have security level \-1. 283.Pp 284The security level 2 restrictions relating to TCB integrity protection 285should be enforced at security level 1. 286Restrictions dependent upon security level but not relating to TCB 287integrity protection should be selected by 288.Xr sysctl 8 289settings available only at security level 0 or lower. 290