1.\" $NetBSD: secmodel_securelevel.9,v 1.3 2008/05/28 00:19:52 snj Exp $ 2.\" 3.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd November 21, 2007 29.Dt SECMODEL_BSD44 9 30.Os 31.Sh NAME 32.Nm secmodel_bsd44 33.Nd traditional 34.Nx 35security model (based on 36.Bx 4.4 ) 37.Sh DESCRIPTION 38The securelevel mechanism is intended to allow protecting the persistence 39of code and data on the system, or a subset thereof, from modification, even 40by the super-user, by providing convenient means of 41.Dq locking down 42a system to a degree suited to its environment. 43.Pp 44The super-user can raise the securelevel using 45.Xr sysctl 8 , 46but only 47.Xr init 8 48can lower it. 49.Pp 50.Nm 51provides four levels of securelevel, defined as follows: 52.Bl -tag -width flag 53.It \&-1 Em Permanently insecure mode 54.Bl -hyphen -compact 55.It 56Don't raise the securelevel on boot 57.El 58.It \ 0 Em Insecure mode 59.Bl -hyphen -compact 60.It 61The init process (PID 1) may not be traced or accessed by 62.Xr ptrace 2 63or procfs. 64.It 65Immutable and append-only file flags may be changed 66.It 67All devices may be read or written subject to their permissions 68.El 69.It \ 1 Em Secure mode 70.Bl -hyphen -compact 71.It 72All effects of securelevel 0 73.It 74.Pa /dev/mem 75and 76.Pa /dev/kmem 77may not be written to 78.It 79Raw disk devices of mounted file systems are read-only 80.It 81Immutable and append-only file flags may not be removed 82.It 83Kernel modules may not be loaded or unloaded 84.It 85The 86.Va net.inet.ip.sourceroute 87.Xr sysctl 8 88variable may not be changed 89.It 90Adding or removing 91.Xr sysctl 9 92nodes is denied 93.It 94The RTC offset may not be changed 95.It 96Set-id coredump settings may not be altered 97.It 98Attaching the IP-based kernel debugger, 99.Xr ipkdb 4 , 100is not allowed 101.It 102Device 103.Dq pass-thru 104requests that may be used to perform raw disk and/or memory access are denied 105.It 106.Em iopl 107and 108.Em ioperm 109calls are denied 110.It 111Access to unmanaged memory is denied 112.El 113.It \ 2 Em Highly secure mode 114.Bl -hyphen -compact 115.It 116All effects of securelevel 1 117.It 118Raw disk devices are always read-only whether mounted or not 119.It 120New disks may not be mounted, and existing mounts may only be downgraded 121from read-write to read-only 122.It 123The system clock may not be set backwards or close to overflow 124.It 125Per-process coredump name may not be changed 126.It 127Packet filtering and NAT rules may not be altered 128.El 129.El 130.Pp 131Highly secure mode may seem Draconian, but is intended as a last line of 132defence should the superuser account be compromised. 133Its effects preclude 134circumvention of file flags by direct modification of a raw disk device, 135or erasure of a file system by means of 136.Xr newfs 8 . 137Further, it can limit the potential damage of a compromised 138.Dq firewall 139by prohibiting the modification of packet filter rules. 140Preventing 141the system clock from being set backwards aids in post-mortem analysis 142and helps ensure the integrity of logs. 143Precision timekeeping is not 144affected because the clock may still be slowed. 145.Pp 146Normally, the system runs in securelevel 0 while single-user and in 147securelevel 1 while multi-user. 148If a higher securelevel is desired while running multi-user, 149it can be set using the 150.Em securelevel 151keyword in the startup script 152.Pa /etc/rc.conf , 153see 154.Xr rc.conf 5 155for details. 156Lower securelevels require the kernel to be compiled with 157.Sy options INSECURE , 158causing it to always default to securelevel \-1. 159.Pp 160In order for this protection to be effective, the administrator 161must ensure that no program that is run while the security level 162is 0 or lower, nor any data or configuration file used by any such 163program, can be modified while the security level is greater than 1640. 165This may be achieved through the careful use of the 166.Dq immutable 167file flag to define and protect a Trusted Computing Base (TCB) 168consisting of all such programs and data, or by ensuring that all 169such programs and data are on filesystems that are mounted read-only 170and running at security level 2 or higher. 171.Em Particular care must be taken to ensure, if relying upon 172.Em security level 1 and the use of file flags, that the integrity of the 173.Em TCB cannot be compromised through the use of modifications to the 174.Em disklabel or access to overlapping disk partitions, including the 175.Em raw partition . 176.Pp 177Do not overlook the fact that shell scripts (or anything else fed to an 178interpreter, through any mechanism) and the kernel itself are "programs 179that run while the security level is 0" and must be considered part of 180the TCB. 181.Sh SEE ALSO 182.Xr kauth 9 , 183.Xr secmodel 9 , 184.Xr secmodel_bsd44 9 185.Sh AUTHORS 186.An Elad Efrat Aq elad@NetBSD.org 187.Sh BUGS 188Systems without 189.Xr sysctl 8 190behave as though they have security level \-1. 191.Pp 192The security level 2 restrictions relating to TCB integrity protection 193should be enforced at security level 1. 194Restrictions dependent upon security level but not relating to TCB 195integrity protection should be selected by 196.Xr sysctl 8 197settings available only at security level 0 or lower. 198