Add an explanation of the fundamental purpose of the "security level"
mechanism and attempt to explain how to use it effectively.
This commit is contained in:
parent
0a43b29b75
commit
e333b0fc0e
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: init.8,v 1.28 2003/08/07 10:04:25 agc Exp $
|
||||
.\" $NetBSD: init.8,v 1.29 2003/10/12 04:14:56 tls Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1980, 1991, 1993
|
||||
.\" The Regents of the University of California. All rights reserved.
|
||||
|
@ -131,6 +131,29 @@ The kernel runs with four different levels of security.
|
|||
Any superuser process can raise the security level, but only
|
||||
.Nm
|
||||
can lower it.
|
||||
.Pp
|
||||
The security level mechanism is intended to allow the administrator to
|
||||
protect the persistent code and data on the system, or a subset thereof,
|
||||
from modification, even by the superuser. In order for this protection
|
||||
to be effective, the administrator must ensure that no program that is
|
||||
run while the security level is 0 or lower, nor any data or configuration
|
||||
file used by any such program, can be modified while the security level
|
||||
is greater than 0. This may be achieved through the careful use of the
|
||||
"immutable" file flag to define and protect a Trusted Computing Base
|
||||
(TCB) consisting of all such programs and data, or by ensuring that all
|
||||
such programs and data are on filesystems that are mounted read-only
|
||||
and running at security level 2 or higher.
|
||||
.Sy Particular care must be taken to ensure, if relying upon
|
||||
.Sy security level 1 and the use of file flags, that the integrity of the
|
||||
.Sy TCB cannot be compromised through the use of modifications to the
|
||||
.Sy disklabel or access to overlapping disk partitions, including the
|
||||
.Sy raw partition.
|
||||
.Pp
|
||||
Do not overlook the fact that shell scripts (or anything else fed to an
|
||||
interpreter, through any mechanism) and the kernel itself are "programs
|
||||
that run while the security level is 0" and must be considered part of
|
||||
the TCB.
|
||||
.Pp
|
||||
Security levels are defined as follows:
|
||||
.Bl -tag -width flag
|
||||
.It Ic -1
|
||||
|
@ -355,3 +378,10 @@ command appeared in
|
|||
Systems without
|
||||
.Xr sysctl 8
|
||||
behave as though they have security level \-1.
|
||||
.Pp
|
||||
The security level 2 restrictions relating to TCB integrity protection
|
||||
should be enforced at security level 1. Restrictions dependent upon
|
||||
security level but not relating to TCB integrity protection should be
|
||||
selected by
|
||||
.Xr sysctl 8
|
||||
settings available only at security level 0 or lower.
|
||||
|
|
Loading…
Reference in New Issue