Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add an explanation of the fundamental purpose of the "security level" 

mechanism and attempt to explain how to use it effectively.
This commit is contained in:
tls 2003-10-12 04:14:56 +00:00
parent 0a43b29b75
commit e333b0fc0e
1 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
sbin/init/init.8
View File

@ -1,4 +1,4 @@
.\" $NetBSD: init.8,v 1.28 2003/08/07 10:04:25 agc Exp $
.\" $NetBSD: init.8,v 1.29 2003/10/12 04:14:56 tls Exp $
.\"
.\" Copyright (c) 1980, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -131,6 +131,29 @@ The kernel runs with four different levels of security.
Any superuser process can raise the security level, but only
.Nm
can lower it.
.Pp
The security level mechanism is intended to allow the administrator to
protect the persistent code and data on the system, or a subset thereof,
from modification, even by the superuser. In order for this protection
to be effective, the administrator must ensure that no program that is
run while the security level is 0 or lower, nor any data or configuration
file used by any such program, can be modified while the security level
is greater than 0. This may be achieved through the careful use of the
"immutable" file flag to define and protect a Trusted Computing Base
(TCB) consisting of all such programs and data, or by ensuring that all
such programs and data are on filesystems that are mounted read-only
and running at security level 2 or higher.
.Sy Particular care must be taken to ensure, if relying upon
.Sy security level 1 and the use of file flags, that the integrity of the
.Sy TCB cannot be compromised through the use of modifications to the
.Sy disklabel or access to overlapping disk partitions, including the
.Sy raw partition.
.Pp
Do not overlook the fact that shell scripts (or anything else fed to an
interpreter, through any mechanism) and the kernel itself are "programs
that run while the security level is 0" and must be considered part of
the TCB.
.Pp
Security levels are defined as follows:
.Bl -tag -width flag
.It Ic -1
@ -355,3 +378,10 @@ command appeared in
Systems without
.Xr sysctl 8
behave as though they have security level \-1.
.Pp
The security level 2 restrictions relating to TCB integrity protection
should be enforced at security level 1. Restrictions dependent upon
security level but not relating to TCB integrity protection should be
selected by
.Xr sysctl 8
settings available only at security level 0 or lower.