Subject: bin/10780: Unable to load BEFOREMOUNT, AFTERMOUNT LKMs if using securelevel > 0
To: None <gnats-bugs@gnats.netbsd.org>
From: None <rafal@mediaone.net>
List: netbsd-bugs
Date: 08/07/2000 20:10:21
>Number: 10780
>Category: bin
>Synopsis: Unable to load BEFOREMOUNT, AFTERMOUNT LKMs if using securelevel > 0
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Aug 07 20:11:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Rafal Boni
>Release: 1.5_ALPHA of 8/2, also present in sources of 8/7, 10:00am EST
>Organization:
Highly Unlikely
>Environment:
1.5_ALPHA snapshot built from 8/2 sources, x86 hardware, not that it
has any machine dependencies..
>Description:
Loading any non-BEFORENET lkm with
securelevel="1"
in rc.conf, fails due to the fact that securelevel has already been
upped in sysctl (which precedes NETWORK).
>How-To-Repeat:
Specify a BEFOREMOUNT/AFTERMOUNT LKM in /etc/lkm.conf while
/etc/rc.conf has 'securelevel="1"' also specified.
Watch the LKM load fail with an "Operation not permitted" error.
>Fix:
Break setting the securelevel out from the sysctl script, and
have the 'securelevel' script depend on all the LKM load points.
In order to be as safe as possible, the securelevel script is
forced to be started before SERVERS, so no network or local access
to the machine (other than stopping the boot sequence) should be
allowed before the securelevel is upped.
Patch (with new 'securelevel' script) follows:
Index: sysctl
===================================================================
RCS file: /cvsroot/basesrc/etc/rc.d/sysctl,v
retrieving revision 1.8
diff -b -u -r1.8 sysctl
--- sysctl 2000/06/13 16:29:55 1.8
+++ sysctl 2000/08/08 03:02:20
@@ -30,20 +30,6 @@
__EOF__
fi
- # if $securelevel is set, change it here, else if it is 0,
- # change it to 1 here, before we start login services.
- #
- if [ -n "$securelevel" ]; then
- echo -n "Setting securelevel: "
- sysctl -w kern.securelevel=$securelevel
- else
- securelevel=`sysctl -n kern.securelevel`
- if [ x"$securelevel" = x0 ]; then
- echo -n "Setting securelevel: "
- sysctl -w kern.securelevel=1
- fi
- fi
-
if [ -r /etc/sysctl.conf ]; then
echo "Setting sysctl variables:"
sysctl -f /etc/sysctl.conf
--- /dev/null Mon Aug 7 22:26:08 2000
+++ securelevel Mon Aug 7 23:02:10 2000
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# $NetBSD$
+#
+
+# PROVIDE: securelevel
+# REQUIRE: beforenetlkm beforemountlkm aftermountlkm
+# BEFORE: SERVERS
+
+. /etc/rc.subr
+
+name="securelevel"
+start_cmd="securelevel_start"
+stop_cmd=":"
+
+securelevel_start()
+{
+ # if $securelevel is set, change it here, else if it is 0,
+ # change it to 1 here, before we start login services.
+ #
+ if [ -n "$securelevel" ]; then
+ echo -n "Setting securelevel: "
+ sysctl -w kern.securelevel=$securelevel
+ else
+ securelevel=`sysctl -n kern.securelevel`
+ if [ x"$securelevel" = x0 ]; then
+ echo -n "Setting securelevel: "
+ sysctl -w kern.securelevel=1
+ fi
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
>Release-Note:
>Audit-Trail:
>Unformatted: