Re: mem.4: be more accurate about securelevel
On Sat, Jan 21, 2023 at 10:43:08AM +, Stuart Henderson wrote: > Test machines are less of a problem, because they're test machines. Sure, we're talking about two different scenarios. > Machines where things have been enabled to debug a problem and then > forgotten are a bigger issue. > I'm not convinced that something visible only on a monitor help much. > How about security(8) though? But surely for securelevel < 1, we need some kind of indication that nags continuously rather than a notification that can take up to 24 hours before it's reported? Adding: if [ `sysctl -n kern.securelevel` -lt 1 ] ; then export PS1='!!\h\$!!'; fi to root's .profile gives an on-going reminder that is visible on a remote, (I.E. non-monitor), session, but then people who change their shell prompt, will lose it, and obviously with that simple solution the notification will stay after setting securelevel >= 1 until you log out and in again.
Re: mem.4: be more accurate about securelevel
On 2023/01/20 18:14, Crystal Kolipe wrote:
> On Fri, Jan 20, 2023 at 01:15:29PM -0700, Theo de Raadt wrote:
> > Todd C. Miller wrote:
> > > I wonder if it makes sense to have a version of sysctl.conf that
> > > only gets used for the next reboot and then is removed, kind of
> > > like /etc/rc.firsttime. Maybe call it /etc/sysctl.once.
> >
> > Well you are shown the change at boot, and it is visible in dmesg -s,
> > which should be good enough.
>
> Otherwise, something like this might be useful for test machines:
Test machines are less of a problem, because they're test machines.
Machines where things have been enabled to debug a problem and then
forgotten are a bigger issue.
I'm not convinced that something visible only on a monitor help much.
How about security(8) though?
Index: share/man/man8/security.8
===
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8 13 Jul 2017 19:16:33 - 1.26
+++ share/man/man8/security.8 21 Jan 2023 10:40:37 -
@@ -79,6 +79,10 @@ to protect the programs in
# chown root:wheel /etc/mtree/bin.secure
# chmod 600 /etc/mtree/bin.secure
.Ed
+.It
+Check for insecure
+.Xr sysctl 2
+values.
.Pp
.Sy Note:
These checks do not provide complete protection against
Index: libexec/security/security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.41
diff -u -p -r1.41 security
--- libexec/security/security 11 Oct 2020 18:28:17 - 1.41
+++ libexec/security/security 21 Jan 2023 10:40:37 -
@@ -299,6 +299,18 @@ sub check_ksh {
}
}
+sub check_sysctl {
+ $check_title = "Checking sysctl values:";
+ my $securelevel = `sysctl -n kern.securelevel`;
+ chomp $securelevel;
+ nag $securelevel le 0,
+ "kern.securelevel=$securelevel (not secure).";
+ my $allowkmem = `sysctl -n kern.allowkmem`;
+ chomp $allowkmem;
+ nag $allowkmem ge 1,
+ "kern.allowkmem=$allowkmem (userland can access kernel memory).";
+}
+
# Uudecode should not be in the /etc/mail/aliases file.
sub check_mail_aliases {
my $filename = '/etc/mail/aliases';
@@ -910,6 +922,7 @@ backup_passwd;
check_group;
check_csh;
check_ksh(check_sh);
+check_sysctl;
$check_title = "Checking configuration files:";
check_mail_aliases;
check_hostname_if;
Re: mem.4: be more accurate about securelevel
On Fri, Jan 20, 2023 at 01:15:29PM -0700, Theo de Raadt wrote:
> Todd C. Miller wrote:
> > I wonder if it makes sense to have a version of sysctl.conf that
> > only gets used for the next reboot and then is removed, kind of
> > like /etc/rc.firsttime. Maybe call it /etc/sysctl.once.
>
> Well you are shown the change at boot, and it is visible in dmesg -s,
> which should be good enough.
Otherwise, something like this might be useful for test machines:
Index: wsemul_vt100.c
===
RCS file: /cvs/src/sys/dev/wscons/wsemul_vt100.c,v
retrieving revision 1.42
diff -u -p -r1.42 wsemul_vt100.c
--- wsemul_vt100.c 12 Jan 2023 20:39:37 - 1.42
+++ wsemul_vt100.c 20 Jan 2023 21:00:08 -
@@ -170,6 +170,12 @@ wsemul_vt100_cnattach(const struct wsscr
#ifndef WS_KERNEL_BG
#define WS_KERNEL_BG WSCOL_BLUE
#endif
+#ifndef WS_INSEC_BG
+#define WS_INSEC_BG WSCOL_RED
+#endif
+#ifndef WS_INSEC_FG
+#define WS_INSEC_FG WSCOL_WHITE
+#endif
#ifndef WS_KERNEL_COLATTR
#define WS_KERNEL_COLATTR 0
#endif
@@ -186,6 +192,16 @@ wsemul_vt100_cnattach(const struct wsscr
if (res)
edp->kernattr = defattr;
+ if (type->capabilities & WSSCREEN_WSCOLORS)
+ res = (*edp->emulops->pack_attr)(cookie,
+ WS_INSEC_FG, WS_INSEC_BG,
+ WS_KERNEL_COLATTR | WSATTR_WSCOLORS, >insecattr);
+ else
+ res = (*edp->emulops->pack_attr)(cookie, 0, 0,
+ WS_KERNEL_MONOATTR, >insecattr);
+ if (res)
+ edp->insecattr = defattr;
+
edp->tabs = NULL;
#ifdef HAVE_DOUBLE_WIDTH_HEIGHT
edp->dblwid = NULL;
@@ -387,15 +403,15 @@ wsemul_vt100_output_normal(struct wsemul
return rc;
}
}
-
+#define KERN_ATTR (securelevel < 1 ? edp->insecattr : edp->kernattr)
#ifdef HAVE_DOUBLE_WIDTH_HEIGHT
WSEMULOP(rc, edp, >abortstate, putchar,
(edp->emulcookie, edp->crow, edp->ccol << edp->dw, dc,
-kernel ? edp->kernattr : edp->curattr));
+kernel ? KERN_ATTR : edp->curattr));
#else
WSEMULOP(rc, edp, >abortstate, putchar,
(edp->emulcookie, edp->crow, edp->ccol, dc,
-kernel ? edp->kernattr : edp->curattr));
+kernel ? KERN_ATTR : edp->curattr));
#endif
if (rc != 0) {
/* undo potential sschartab update */
Index: wsemul_vt100var.h
===
RCS file: /cvs/src/sys/dev/wscons/wsemul_vt100var.h,v
retrieving revision 1.12
diff -u -p -r1.12 wsemul_vt100var.h
--- wsemul_vt100var.h 12 Jan 2023 20:39:37 - 1.12
+++ wsemul_vt100var.h 20 Jan 2023 21:00:08 -
@@ -38,6 +38,7 @@ struct wsemul_vt100_emuldata {
uint32_t defattr; /* default attribute */
uint32_t kernattr; /* attribute for kernel output */
+ uint32_t insecattr; /* ^^^ for securelevel < 1 ^^^ */
void *cbcookie;
#ifdef DIAGNOSTIC
int console;
Re: mem.4: be more accurate about securelevel
Todd C. Miller wrote: > On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote: > > > During this mimmmutable and xonly work, I keep finding test machines where > > I enabled kern.allowkmem, and have to disable it. Sometimes weeks later. > > Both kern.allowkmem and securelevel disabling are dangerous, especially in > > our world where so much other dangerous stuff has been stopped. > > I wonder if it makes sense to have a version of sysctl.conf that > only gets used for the next reboot and then is removed, kind of > like /etc/rc.firsttime. Maybe call it /etc/sysctl.once. Well you are shown the change at boot, and it is visible in dmesg -s, which should be good enough. I guess I'm saying if I am sloppy, others will also be sloppy.
Re: mem.4: be more accurate about securelevel
On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote: > During this mimmmutable and xonly work, I keep finding test machines where > I enabled kern.allowkmem, and have to disable it. Sometimes weeks later. > Both kern.allowkmem and securelevel disabling are dangerous, especially in > our world where so much other dangerous stuff has been stopped. I wonder if it makes sense to have a version of sysctl.conf that only gets used for the next reboot and then is removed, kind of like /etc/rc.firsttime. Maybe call it /etc/sysctl.once. - todd
Re: mem.4: be more accurate about securelevel
I don't argue for it to be undefined behaviour. It just is a bad idea to put ideas into people's minds. In this case the idea vaguely is 'oh i should disable securelevel, i can do more with my machine'. During this mimmmutable and xonly work, I keep finding test machines where I enabled kern.allowkmem, and have to disable it. Sometimes weeks later. Both kern.allowkmem and securelevel disabling are dangerous, especially in our world where so much other dangerous stuff has been stopped.
Re: mem.4: be more accurate about securelevel
Hi Stuart, Stuart Henderson wrote on Fri, Jan 20, 2023 at 08:50:48AM +: > On 2023/01/18 12:46, Theo de Raadt wrote: >> But you should not start a sentence with also. >> Also you should not start a sentence with but. >> >> Not the best english. jmc can weight in perhaps. >> Jan Klemkow wrote: >>> .Pp >>> Even with sufficient file system permissions, >>> these devices can only be opened when the >>> -.Xr securelevel 7 >>> -is insecure or when the >>> .Va kern.allowkmem >>> .Xr sysctl 2 >>> variable is set. >>> +Also the >>> +.Xr securelevel 7 >>> +insecure is needed, to open the device writable. > This is all that's needed isn't it? > > Even with sufficient file system permissions, > these devices can only be opened when the > .Xr securelevel 7 > -is insecure or when the > -is insecure and the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. I believe that is not what we want to say: deraadt@ argues that - nobody should run with insecure securelevel, not even for offline debugging - and it is not needed for read access to /dev/mem (The discussion has in part drifted off list.) If we want a complete description (including the strongly discouraged way to get write access), the following floating diff is the best i'm aware of: Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Write access additionally requires an insecure +.Xr securelevel 7 . If we want to discourage this even more, we could say something like this: .Pp Even with sufficient file system permissions, -these devices can only be opened when the +these devices can only be opened for reading and only when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. .Sh FILES That would make write behaviour undefined, such that it could be removed with no further documentation fuss once write access is indeed removed in the future. I would be fine with either direction. Yours, Ingo
Re: mem.4: be more accurate about securelevel
On 2023/01/18 12:46, Theo de Raadt wrote: > But you should not start a sentence with also. > Also you should not start a sentence with but. > > Not the best english. jmc can weight in perhaps. > > Jan Klemkow wrote: > > .Pp > > Even with sufficient file system permissions, > > these devices can only be opened when the > > -.Xr securelevel 7 > > -is insecure or when the > > .Va kern.allowkmem > > .Xr sysctl 2 > > variable is set. > > +Also the > > +.Xr securelevel 7 > > +insecure is needed, to open the device writable. This is all that's needed isn't it? Even with sufficient file system permissions, these devices can only be opened when the .Xr securelevel 7 -is insecure or when the -is insecure and the .Va kern.allowkmem .Xr sysctl 2 variable is set.
Re: mem.4: be more accurate about securelevel
But you should not start a sentence with also. Also you should not start a sentence with but. Not the best english. jmc can weight in perhaps. Jan Klemkow wrote: > On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote: > > > at least this tool works for me: > > > > Surely you have kern.allowkmem=1 set. > > This diff should phrase it correctly. > > ok? > > Thanks, > Jan > > Index: man4.alpha/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v > retrieving revision 1.6 > diff -u -p -r1.6 mem.4 > --- man4.alpha/mem.4 12 Jan 2018 04:36:44 - 1.6 > +++ man4.alpha/mem.4 18 Jan 2023 19:25:27 - > @@ -63,11 +63,12 @@ kernel virtual memory begins at > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width /dev/kmem -compact > .It /dev/mem > Index: man4.amd64/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v > retrieving revision 1.6 > diff -u -p -r1.6 mem.4 > --- man4.amd64/mem.4 12 Jan 2018 04:36:44 - 1.6 > +++ man4.amd64/mem.4 18 Jan 2023 19:26:59 - > @@ -64,11 +64,12 @@ The kernel virtual memory begins at addr > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width Pa -compact > .It Pa /dev/mem > Index: man4.hppa/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.hppa/mem.4 12 Jan 2018 04:36:44 - 1.4 > +++ man4.hppa/mem.4 18 Jan 2023 19:29:07 - > @@ -52,11 +52,12 @@ address 0; kernel virtual memory begins > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width /dev/kmem -compact > .It Pa /dev/mem > Index: man4.i386/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v > retrieving revision 1.12 > diff -u -p -r1.12 mem.4 > --- man4.i386/mem.4 12 Jan 2018 04:36:44 - 1.12 > +++ man4.i386/mem.4 18 Jan 2023 19:30:18 - > @@ -64,11 +64,12 @@ long, and ends at virtual address > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width Pa -compact > .It Pa /dev/mem > Index: man4.landisk/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.landisk/mem.412 Jan 2018 04:36:44 - 1.4 > +++ man4.landisk/mem.418 Jan 2023 19:31:28 - > @@ -59,11 +59,12 @@ The kernel virtual memory begins at addr > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width Pa -compact > .It Pa /dev/mem > Index: man4.loongson/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.loongson/mem.4 12 Jan 2018 04:36:44 - 1.4 > +++ man4.loongson/mem.4 18 Jan 2023 19:32:44 - > @@ -89,11 +89,12 @@ The kernel virtual memory begins at addr > .Pp > Even with sufficient file system permissions, > these devices can only be opened when the > -.Xr securelevel 7 > -is insecure or when the > .Va kern.allowkmem > .Xr sysctl 2 > variable is set. > +Also the > +.Xr securelevel 7 > +insecure is needed, to open the device writable. > .Sh FILES > .Bl -tag -width Pa -compact > .It Pa /dev/mem > Index: man4.luna88k/mem.4 > === > RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v > retrieving revision 1.4 >
Re: mem.4: be more accurate about securelevel
On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote: > > at least this tool works for me: > > Surely you have kern.allowkmem=1 set. This diff should phrase it correctly. ok? Thanks, Jan Index: man4.alpha/mem.4 === RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v retrieving revision 1.6 diff -u -p -r1.6 mem.4 --- man4.alpha/mem.412 Jan 2018 04:36:44 - 1.6 +++ man4.alpha/mem.418 Jan 2023 19:25:27 - @@ -63,11 +63,12 @@ kernel virtual memory begins at .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width /dev/kmem -compact .It /dev/mem Index: man4.amd64/mem.4 === RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v retrieving revision 1.6 diff -u -p -r1.6 mem.4 --- man4.amd64/mem.412 Jan 2018 04:36:44 - 1.6 +++ man4.amd64/mem.418 Jan 2023 19:26:59 - @@ -64,11 +64,12 @@ The kernel virtual memory begins at addr .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem Index: man4.hppa/mem.4 === RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v retrieving revision 1.4 diff -u -p -r1.4 mem.4 --- man4.hppa/mem.4 12 Jan 2018 04:36:44 - 1.4 +++ man4.hppa/mem.4 18 Jan 2023 19:29:07 - @@ -52,11 +52,12 @@ address 0; kernel virtual memory begins .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width /dev/kmem -compact .It Pa /dev/mem Index: man4.i386/mem.4 === RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v retrieving revision 1.12 diff -u -p -r1.12 mem.4 --- man4.i386/mem.4 12 Jan 2018 04:36:44 - 1.12 +++ man4.i386/mem.4 18 Jan 2023 19:30:18 - @@ -64,11 +64,12 @@ long, and ends at virtual address .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem Index: man4.landisk/mem.4 === RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v retrieving revision 1.4 diff -u -p -r1.4 mem.4 --- man4.landisk/mem.4 12 Jan 2018 04:36:44 - 1.4 +++ man4.landisk/mem.4 18 Jan 2023 19:31:28 - @@ -59,11 +59,12 @@ The kernel virtual memory begins at addr .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem Index: man4.loongson/mem.4 === RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v retrieving revision 1.4 diff -u -p -r1.4 mem.4 --- man4.loongson/mem.4 12 Jan 2018 04:36:44 - 1.4 +++ man4.loongson/mem.4 18 Jan 2023 19:32:44 - @@ -89,11 +89,12 @@ The kernel virtual memory begins at addr .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/mem Index: man4.luna88k/mem.4 === RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v retrieving revision 1.4 diff -u -p -r1.4 mem.4 --- man4.luna88k/mem.4 12 Jan 2018 04:36:44 - 1.4 +++ man4.luna88k/mem.4 18 Jan 2023 19:33:50 - @@ -63,11 +63,12 @@ kernel virtual memory begins at .Pp Even with sufficient file system permissions, these devices can only be opened when the -.Xr securelevel 7 -is insecure or when the .Va kern.allowkmem .Xr sysctl 2 variable is set. +Also the +.Xr securelevel 7 +insecure is needed, to open the device writable. .Sh FILES .Bl
Re: mem.4: be more accurate about securelevel
On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote: > > at least this tool works for me: > > Surely you have kern.allowkmem=1 set. Yes, I do.
Re: mem.4: be more accurate about securelevel
> at least this tool works for me: Surely you have kern.allowkmem=1 set.
Re: mem.4: be more accurate about securelevel
On Tue, Jan 17, 2023 at 04:23:48PM -0500, Bryan Steele wrote:
> On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote:
> > Hi,
> >
> > This diff adjust the manpage of mem(4) to be more accurate. You can
> > open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
> >
> > kern/spec_vnops.c:
> >
> > if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
> > ...
> > /*
> > * When running in secure mode, do not allow opens
> > * for writing of /dev/mem, /dev/kmem, or character
> > * devices whose corresponding block devices are
> > * currently mounted.
> > */
> > if (securelevel >= 1) {
> > ...
> > if (iskmemdev(dev))
> > return (EPERM);
> > }
> > }
> >
> > OK?
> >
> > bye,
> > Jan
>
> Are you sure about that? Have you tested it?
>
> https://github.com/openbsd/src/commit/19aedf236181e81baf170421900911c82671fae4
at least this tool works for me:
#include
#include
#include
#include
#include
#include
#include
int
main(void)
{
kvm_t *kd;
int mem;
struct nlist nl[] = {
{"_ix_debug_ioctl"},
{NULL}
};
char errbuf[_POSIX2_LINE_MAX];
if ((kd = kvm_open(_PATH_KSYMS, NULL, NULL, O_RDWR, errbuf)) == NULL)
errx(EXIT_FAILURE, "%s", errbuf);
if (kvm_nlist(kd, nl) == -1)
errx(EXIT_SUCCESS, "%s", kvm_geterr(kd));
if (kvm_read(kd, nl[0].n_value, , sizeof mem) != sizeof(mem))
errx(EXIT_SUCCESS, "%s", kvm_geterr(kd));
printf("mem: %d\n", mem);
mem = 1;
if (kvm_write(kd, nl[0].n_value, , sizeof mem) != sizeof(mem))
errx(EXIT_SUCCESS, "%s", kvm_geterr(kd));
if (kvm_close(kd) == -1)
err(EXIT_FAILURE, "kvm_close");
return EXIT_SUCCESS;
}
Re: mem.4: be more accurate about securelevel
On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote:
> Hi,
>
> This diff adjust the manpage of mem(4) to be more accurate. You can
> open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
>
> kern/spec_vnops.c:
>
> if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
> ...
> /*
>* When running in secure mode, do not allow opens
>* for writing of /dev/mem, /dev/kmem, or character
>* devices whose corresponding block devices are
>* currently mounted.
>*/
> if (securelevel >= 1) {
> ...
> if (iskmemdev(dev))
> return (EPERM);
> }
> }
>
> OK?
>
> bye,
> Jan
Are you sure about that? Have you tested it?
https://github.com/openbsd/src/commit/19aedf236181e81baf170421900911c82671fae4
> Index: man4.alpha/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.alpha/mem.4 12 Jan 2018 04:36:44 - 1.6
> +++ man4.alpha/mem.4 17 Jan 2023 18:51:10 -
> @@ -62,7 +62,7 @@ kernel virtual memory begins at
> .Li 0xfc23 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.amd64/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.amd64/mem.4 12 Jan 2018 04:36:44 - 1.6
> +++ man4.amd64/mem.4 17 Jan 2023 18:48:23 -
> @@ -63,7 +63,7 @@ The kernel virtual memory begins at addr
> .Li 0x8000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.hppa/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.hppa/mem.4 12 Jan 2018 04:36:44 - 1.4
> +++ man4.hppa/mem.4 17 Jan 2023 18:52:28 -
> @@ -51,7 +51,7 @@ On hppa, the physical memory range is al
> address 0; kernel virtual memory begins at address 0 as well.
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.i386/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v
> retrieving revision 1.12
> diff -u -p -r1.12 mem.4
> --- man4.i386/mem.4 12 Jan 2018 04:36:44 - 1.12
> +++ man4.i386/mem.4 17 Jan 2023 18:53:00 -
> @@ -63,7 +63,7 @@ long, and ends at virtual address
> .Li 0xfe00 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.landisk/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.landisk/mem.412 Jan 2018 04:36:44 - 1.4
> +++ man4.landisk/mem.417 Jan 2023 18:53:54 -
> @@ -58,7 +58,7 @@ The kernel virtual memory begins at addr
> .Li 0xc000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.loongson/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.loongson/mem.4 12 Jan 2018 04:36:44 - 1.4
> +++ man4.loongson/mem.4 17 Jan 2023 18:54:33 -
> @@ -88,7 +88,7 @@ The kernel virtual memory begins at addr
> .Ad 0xc000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.luna88k/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.luna88k/mem.412 Jan 2018
Re: mem.4: be more accurate about securelevel
17.01.2023 20:37, Jan Klemkow пишет:
> Hi,
>
> This diff adjust the manpage of mem(4) to be more accurate. You can
> open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
securelevel(7) still says
1 Secure mode
...
- /dev/mem and /dev/kmem cannot be opened
"securelevel.7: Clarify mem(4) semantics" tried to fix it two years ago:
https://marc.info/?l=openbsd-tech=157945224915525=2
>
> kern/spec_vnops.c:
>
> if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
> ...
> /*
>* When running in secure mode, do not allow opens
>* for writing of /dev/mem, /dev/kmem, or character
>* devices whose corresponding block devices are
>* currently mounted.
>*/
> if (securelevel >= 1) {
> ...
> if (iskmemdev(dev))
> return (EPERM);
> }
> }
>
> OK?
>
> bye,
> Jan
>
> Index: man4.alpha/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.alpha/mem.4 12 Jan 2018 04:36:44 - 1.6
> +++ man4.alpha/mem.4 17 Jan 2023 18:51:10 -
> @@ -62,7 +62,7 @@ kernel virtual memory begins at
> .Li 0xfc23 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.amd64/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.amd64/mem.4 12 Jan 2018 04:36:44 - 1.6
> +++ man4.amd64/mem.4 17 Jan 2023 18:48:23 -
> @@ -63,7 +63,7 @@ The kernel virtual memory begins at addr
> .Li 0x8000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.hppa/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.hppa/mem.4 12 Jan 2018 04:36:44 - 1.4
> +++ man4.hppa/mem.4 17 Jan 2023 18:52:28 -
> @@ -51,7 +51,7 @@ On hppa, the physical memory range is al
> address 0; kernel virtual memory begins at address 0 as well.
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.i386/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v
> retrieving revision 1.12
> diff -u -p -r1.12 mem.4
> --- man4.i386/mem.4 12 Jan 2018 04:36:44 - 1.12
> +++ man4.i386/mem.4 17 Jan 2023 18:53:00 -
> @@ -63,7 +63,7 @@ long, and ends at virtual address
> .Li 0xfe00 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.landisk/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.landisk/mem.412 Jan 2018 04:36:44 - 1.4
> +++ man4.landisk/mem.417 Jan 2023 18:53:54 -
> @@ -58,7 +58,7 @@ The kernel virtual memory begins at addr
> .Li 0xc000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.loongson/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.loongson/mem.4 12 Jan 2018 04:36:44 - 1.4
> +++ man4.loongson/mem.4 17 Jan 2023 18:54:33 -
> @@ -88,7 +88,7 @@ The kernel virtual memory begins at addr
> .Ad 0xc000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.luna88k/mem.4
> ===
> RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v
>
mem.4: be more accurate about securelevel
Hi,
This diff adjust the manpage of mem(4) to be more accurate. You can
open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
kern/spec_vnops.c:
if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
...
/*
* When running in secure mode, do not allow opens
* for writing of /dev/mem, /dev/kmem, or character
* devices whose corresponding block devices are
* currently mounted.
*/
if (securelevel >= 1) {
...
if (iskmemdev(dev))
return (EPERM);
}
}
OK?
bye,
Jan
Index: man4.alpha/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v
retrieving revision 1.6
diff -u -p -r1.6 mem.4
--- man4.alpha/mem.412 Jan 2018 04:36:44 - 1.6
+++ man4.alpha/mem.417 Jan 2023 18:51:10 -
@@ -62,7 +62,7 @@ kernel virtual memory begins at
.Li 0xfc23 .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.amd64/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v
retrieving revision 1.6
diff -u -p -r1.6 mem.4
--- man4.amd64/mem.412 Jan 2018 04:36:44 - 1.6
+++ man4.amd64/mem.417 Jan 2023 18:48:23 -
@@ -63,7 +63,7 @@ The kernel virtual memory begins at addr
.Li 0x8000 .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.hppa/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v
retrieving revision 1.4
diff -u -p -r1.4 mem.4
--- man4.hppa/mem.4 12 Jan 2018 04:36:44 - 1.4
+++ man4.hppa/mem.4 17 Jan 2023 18:52:28 -
@@ -51,7 +51,7 @@ On hppa, the physical memory range is al
address 0; kernel virtual memory begins at address 0 as well.
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.i386/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v
retrieving revision 1.12
diff -u -p -r1.12 mem.4
--- man4.i386/mem.4 12 Jan 2018 04:36:44 - 1.12
+++ man4.i386/mem.4 17 Jan 2023 18:53:00 -
@@ -63,7 +63,7 @@ long, and ends at virtual address
.Li 0xfe00 .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.landisk/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v
retrieving revision 1.4
diff -u -p -r1.4 mem.4
--- man4.landisk/mem.4 12 Jan 2018 04:36:44 - 1.4
+++ man4.landisk/mem.4 17 Jan 2023 18:53:54 -
@@ -58,7 +58,7 @@ The kernel virtual memory begins at addr
.Li 0xc000 .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.loongson/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v
retrieving revision 1.4
diff -u -p -r1.4 mem.4
--- man4.loongson/mem.4 12 Jan 2018 04:36:44 - 1.4
+++ man4.loongson/mem.4 17 Jan 2023 18:54:33 -
@@ -88,7 +88,7 @@ The kernel virtual memory begins at addr
.Ad 0xc000 .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.luna88k/mem.4
===
RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v
retrieving revision 1.4
diff -u -p -r1.4 mem.4
--- man4.luna88k/mem.4 12 Jan 2018 04:36:44 - 1.4
+++ man4.luna88k/mem.4 17 Jan 2023 18:54:47 -
@@ -62,7 +62,7 @@ kernel virtual memory begins at
.Ad 0x .
.Pp
Even with sufficient file system permissions,
-these devices can only be opened when the
+these devices can only be opened writable when the
.Xr securelevel 7
is insecure or when the
.Va kern.allowkmem
Index: man4.macppc/mem.4
