1.\" $NetBSD: secmodel_securelevel.9,v 1.10 2010/12/22 09:08:09 wiz Exp $ 2.\" 3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 4.\" Copyright (c) 2000 Hugh Graham 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. The name of the author may not be used to endorse or promote products 16.\" derived from this software without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd December 21, 2010 30.Dt SECMODEL_SECURELEVEL 9 31.Os 32.Sh NAME 33.Nm secmodel_securelevel 34.Nd securelevel security model 35.Sh DESCRIPTION 36The securelevel mechanism is intended to allow protecting the persistence 37of code and data on the system, or a subset thereof, from modification, even 38by the super-user, by providing convenient means of 39.Dq locking down 40a system to a degree suited to its environment. 41.Pp 42The super-user can raise the securelevel using 43.Xr sysctl 8 , 44but only 45.Xr init 8 46can lower it. 47.Pp 48Four security levels are provided. 49.Bl -tag -width flag 50.It \&-1 Em Permanently insecure mode 51.Bl -bullet 52.It 53Don't raise the securelevel on boot 54.El 55.It \ 0 Em Insecure mode 56.Bl -bullet 57.It 58The init process (PID 1) may not be traced or accessed by 59.Xr ptrace 2 60or procfs. 61.It 62Immutable and append-only file flags may be changed by 63.Xr chflags 1 64or by other means. 65.It 66All devices may be read or written subject to their permissions. 67.It 68All 69.Xr gpio 4 70pins can be set and device drivers can be attached to them. 71.It 72On architectures that support 73.Xr module 4 , 74kernel modules can be loaded and unloaded. 75.El 76.It \ 1 Em Secure mode 77.Bl -bullet 78.It 79All effects of securelevel 0. 80.It 81The 82.Xr kmem 4 83memory files 84.Pa /dev/mem 85and 86.Pa /dev/kmem 87may not be written to. 88.It 89Raw disk devices of mounted file systems are read-only. 90.It 91Immutable and append-only file flags may not be removed. 92.It 93Kernel modules may not be loaded or unloaded. 94.It 95Neither the 96.Va net.inet.ip.sourceroute 97nor the 98.Va vm.user_va0_disable 99.Xr sysctl 8 100variables may be changed. 101.It 102Adding or removing 103.Xr sysctl 9 104nodes is denied. 105.It 106The RTC offset may not be changed. 107.It 108Set-id coredump settings may not be altered. 109.It 110Attaching the IP-based kernel debugger, 111.Xr ipkdb 4 , 112is not allowed. 113.It 114Device 115.Dq pass-thru 116requests that may be used to perform raw disk and/or memory access are denied. 117.It 118The 119.Em iopl 120and 121.Em ioperm 122calls are denied. 123.It 124Access to unmanaged memory is denied. 125.It 126Only GPIO pins that have been set at securelevel 0 can be accessed. 127.El 128.It \ 2 Em Highly secure mode 129.Bl -bullet 130.It 131All effects of securelevel 1. 132.It 133Raw disk devices are always read-only whether mounted or not. 134.It 135New disks may not be mounted, and existing mounts may only be downgraded 136from read-write to read-only. 137.It 138The system clock may not be set backwards or close to overflow. 139.It 140Per-process coredump name may not be changed. 141.It 142Packet filtering and NAT rules may not be altered. 143.El 144.El 145.Pp 146Highly secure mode may seem Draconian, but is intended as a last line of 147defence should the superuser account be compromised. 148Its effects preclude 149circumvention of file flags by direct modification of a raw disk device, 150or erasure of a file system by means of 151.Xr newfs 8 . 152Further, it can limit the potential damage of a compromised 153.Dq firewall 154by prohibiting the modification of packet filter rules. 155Preventing 156the system clock from being set backwards aids in post-mortem analysis 157and helps ensure the integrity of logs. 158Precision timekeeping is not 159affected because the clock may still be slowed. 160.Pp 161Normally, the system runs in securelevel 0 while single-user and in 162securelevel 1 while multi-user. 163If a higher securelevel is desired while running multi-user, 164it can be set using the 165.Em securelevel 166keyword in the startup script 167.Pa /etc/rc.conf , 168see 169.Xr rc.conf 5 170for details. 171Lower securelevels require the kernel to be compiled with 172.Sy options INSECURE , 173causing it to always default to securelevel \-1. 174.Pp 175In order for this protection to be effective, the administrator 176must ensure that no program that is run while the security level 177is 0 or lower, nor any data or configuration file used by any such 178program, can be modified while the security level is greater than 1790. 180This may be achieved through the careful use of the 181.Dq immutable 182file flag to define and protect a Trusted Computing Base (TCB) 183consisting of all such programs and data, or by ensuring that all 184such programs and data are on filesystems that are mounted read-only 185and running at security level 2 or higher. 186.Em Particular care must be taken to ensure, if relying upon 187.Em security level 1 and the use of file flags, that the integrity of the 188.Em TCB cannot be compromised through the use of modifications to the 189.Em disklabel or access to overlapping disk partitions, including the 190.Em raw partition . 191.Pp 192Do not overlook the fact that shell scripts (or anything else fed to an 193interpreter, through any mechanism) and the kernel itself are "programs 194that run while the security level is 0" and must be considered part of 195the TCB. 196.Pp 197The following 198.Xr sysctl 3 199variables are exported: 200.Bl -tag -width compact 201.It security.models.securelevel.securelevel 202The system security level. 203This level may be raised by processes with appropriate privilege. 204It may only be lowered by process 1 (init). 205.El 206.Sh SEE ALSO 207.Xr kauth 9 , 208.Xr secmodel 9 , 209.Xr secmodel_bsd44 9 210.Sh AUTHORS 211.An Elad Efrat Aq elad@NetBSD.org 212.Sh BUGS 213Systems without 214.Xr sysctl 8 215behave as though they have security level \-1. 216.Pp 217The security level 2 restrictions relating to TCB integrity protection 218should be enforced at security level 1. 219Restrictions dependent upon security level but not relating to TCB 220integrity protection should be selected by 221.Xr sysctl 8 222settings available only at security level 0 or lower. 223