xref: /netbsd-src/share/man/man9/secmodel_securelevel.9 (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c)
1.\" $NetBSD: secmodel_securelevel.9,v 1.18 2018/07/15 05:16:41 maxv Exp $
2.\"
3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
4.\" Copyright (c) 2000 Hugh Graham
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions
9.\" are met:
10.\" 1. Redistributions of source code must retain the above copyright
11.\"    notice, this list of conditions and the following disclaimer.
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\" 3. The name of the author may not be used to endorse or promote products
16.\"    derived from this software without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28.\"
29.Dd July 14, 2018
30.Dt SECMODEL_SECURELEVEL 9
31.Os
32.Sh NAME
33.Nm secmodel_securelevel
34.Nd securelevel security model
35.Sh DESCRIPTION
36The securelevel mechanism is intended to allow protecting the persistence
37of code and data on the system, or a subset thereof, from modification, even
38by the
39.Em super-user ,
40by providing convenient means of
41.Dq locking down
42a system to a degree suited to its environment.
43.Pp
44The
45.Em super-user
46can raise the
47.Em securelevel
48using
49.Xr sysctl 8 ,
50but only
51.Xr init 8
52can lower it.
53.Pp
54Four security levels are provided:
55.Bl -tag -width flag
56.It \&-1 Em Permanently insecure mode
57.Bl -bullet
58.It
59Do not raise the
60.Em securelevel
61on boot.
62.El
63.It \ 0 Em Insecure mode
64.Bl -bullet
65.It
66The init process (PID 1) may not be traced or accessed by
67.Xr ptrace 2
68or procfs.
69.It
70Immutable and append-only file flags may be changed by
71.Xr chflags 1
72or by other means.
73.It
74All devices may be read or written subject to their permissions.
75.It
76All
77.Xr gpio 4
78pins can be set and device drivers can be attached to them.
79.It
80On architectures that support
81.Xr module 7 ,
82kernel modules can be loaded and unloaded.
83.El
84.It \ 1 Em Secure mode
85.Bl -bullet
86.It
87All effects of
88.Em securelevel
890.
90.It
91The
92.Xr x86/kmem 4
93memory files
94.Pa /dev/mem
95and
96.Pa /dev/kmem
97may not be written to.
98.It
99Raw disk devices of mounted file systems are read-only.
100.It
101Immutable and append-only file flags may not be removed.
102.It
103Kernel modules may not be loaded or unloaded.
104.It
105Neither the
106.Va net.inet.ip.sourceroute
107nor the
108.Va vm.user_va0_disable
109.Xr sysctl 8
110variables may be changed.
111.It
112Adding or removing
113.Xr sysctl 9
114nodes is denied.
115.It
116The RTC offset may not be changed.
117.It
118Set-id coredump settings may not be altered.
119.It
120Device
121.Dq pass-thru
122requests that may be used to perform raw disk and/or memory access are denied.
123.It
124The
125.Em iopl
126and
127.Em ioperm
128calls are denied.
129.It
130Access to unmanaged memory is denied.
131.It
132Only GPIO pins that have been set at
133.Em securelevel
1340 can be accessed.
135.It
136SVS (Separate Virtual Space) may not be disabled on platforms that support it.
137.El
138.It \ 2 Em Highly secure mode
139.Bl -bullet
140.It
141All effects of
142.Em securelevel
1431.
144.It
145Raw disk devices are always read-only whether mounted or not.
146.It
147New disks may not be mounted, and existing mounts may only be downgraded
148from read-write to read-only.
149.It
150The system clock may not be set backwards or close to overflow.
151.It
152Per-process coredump name may not be changed.
153.It
154Packet filtering and NAT rules may not be altered.
155.It
156CPU ucode loading is denied on platforms that support it.
157.El
158.El
159.Pp
160Highly secure mode may seem Draconian, but is intended as a last line of
161defence should the
162.Em super-user
163account be compromised.
164Its effects preclude
165circumvention of file flags by direct modification of a raw disk device,
166or erasure of a file system by means of
167.Xr newfs 8 .
168Further, it can limit the potential damage of a compromised
169.Dq firewall
170by prohibiting the modification of packet filter rules.
171Preventing
172the system clock from being set backwards aids in post-mortem analysis
173and helps ensure the integrity of logs.
174Precision timekeeping is not
175affected because the clock may still be slowed.
176.Pp
177Normally, the system runs in
178.Em securelevel
1790 while single-user and in
180.Em securelevel
1811 while multi-user.
182If a higher
183.Em securelevel
184is desired while running multi-user,
185it can be set using the
186.Sy securelevel
187keyword in the startup script
188.Pa /etc/rc.conf ,
189see
190.Xr rc.conf 5
191for details.
192Lower securelevels require the kernel to be compiled with
193.Sy options INSECURE ,
194causing it to always default to
195.Em securelevel
196\-1.
197.Pp
198In order for this protection to be effective, the administrator
199must ensure that no program that is run while the security level
200is 0 or lower, nor any data or configuration file used by any such
201program, can be modified while the security level is greater than
2020.
203This may be achieved through the careful use of the
204.Dq immutable
205file flag to define and protect a Trusted Computing Base (TCB)
206consisting of all such programs and data, or by ensuring that all
207such programs and data are on filesystems that are mounted read-only
208and running at security level 2 or higher.
209.Em Particular care must be taken to ensure, if relying upon
210.Em security level 1 and the use of file flags, that the integrity of the
211.Em TCB cannot be compromised through the use of modifications to the
212.Em disklabel or access to overlapping disk partitions, including the
213.Em raw partition .
214.Pp
215Do not overlook the fact that shell scripts (or anything else fed to an
216interpreter, through any mechanism) and the kernel itself are "programs
217that run while the security level is 0" and must be considered part of
218the TCB.
219.Pp
220The following
221.Xr sysctl 3
222variables are exported:
223.Bl -tag -width compact
224.It security.models.securelevel.securelevel
225The system security level.
226This level may be raised by processes with appropriate privilege.
227It may only be lowered by process 1 (init).
228.El
229.Sh FUNCTIONS
230.Nm
231exposes a
232.Xr secmodel_eval 9
233evaluation routine
234to test whether the current
235.Em securelevel
236is above a certain threshold level or not.
237.Pp
238The parameters to
239.Xr secmodel_eval 9
240are:
241.Bl -tag -compact -width xxxxx
242.It id
243the unique identifier of
244.Nm :
245.Qo Dv org.netbsd.secmodel.securelevel Qc .
246.It what
247a string,
248.Qo Dv is-securelevel-above Qc .
249.It arg
250a reference to an
251.Dv int
252representing the threshold level.
253.It ret
254a boolean, set by
255.Nm
256to
257.Dv true
258when the
259.Em securelevel
260is strictly above
261the threshold level,
262.Dv false
263otherwise.
264.El
265.Sh RETURN TYPES
266If successful, the evaluation returns 0 with the
267.Fa ret
268argument being either
269.Dv true
270or
271.Dv false .
272.Sh SEE ALSO
273.Xr kauth 9 ,
274.Xr secmodel 9 ,
275.Xr secmodel_bsd44 9 ,
276.Xr secmodel_eval 9
277.Sh AUTHORS
278.An Elad Efrat Aq Mt elad@NetBSD.org
279.Sh BUGS
280Systems without
281.Xr sysctl 8
282behave as though they have security level \-1.
283.Pp
284The security level 2 restrictions relating to TCB integrity protection
285should be enforced at security level 1.
286Restrictions dependent upon security level but not relating to TCB
287integrity protection should be selected by
288.Xr sysctl 8
289settings available only at security level 0 or lower.
290