Re: secmodel_securelevel(9) and machdep.svs.enabled

To: tech-kern%NetBSD.org@localhost
Subject: Re: secmodel_securelevel(9) and machdep.svs.enabled
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Tue, 24 Apr 2018 19:05:54 +0100

Alexander Nasonov wrote:
> When securelevel is set, should be lock 1->0 change for
> machdep.svs.enabled (and possibly for other sysctls related
> to recent security mitigations)?

Can I commit the attached patch? (doc update will follow)

-- 
Alex

Index: src/sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.75
diff -p -u -u -r1.75 kauth.h
--- src/sys/sys/kauth.h	28 Aug 2017 00:46:07 -0000	1.75
+++ src/sys/sys/kauth.h	24 Apr 2018 17:59:13 -0000
@@ -320,7 +320,8 @@ enum {
 	KAUTH_MACHDEP_NVRAM,
 	KAUTH_MACHDEP_UNMANAGEDMEM,
 	KAUTH_MACHDEP_PXG,
-	KAUTH_MACHDEP_X86PMC
+	KAUTH_MACHDEP_X86PMC,
+	KAUTH_MACHDEP_SVS_DISABLE
 };
 
 /*
Index: src/sys/secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.43
diff -p -u -u -r1.43 secmodel_suser.c
--- src/sys/secmodel/suser/secmodel_suser.c	14 Jun 2017 17:48:41 -0000	1.43
+++ src/sys/secmodel/suser/secmodel_suser.c	24 Apr 2018 17:59:13 -0000
@@ -854,6 +854,7 @@ secmodel_suser_machdep_cb(kauth_cred_t c
 	case KAUTH_MACHDEP_UNMANAGEDMEM:
 	case KAUTH_MACHDEP_PXG:
 	case KAUTH_MACHDEP_X86PMC:
+	case KAUTH_MACHDEP_SVS_DISABLE:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
Index: src/sys/secmodel/securelevel/secmodel_securelevel.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v
retrieving revision 1.30
diff -p -u -u -r1.30 secmodel_securelevel.c
--- src/sys/secmodel/securelevel/secmodel_securelevel.c	25 Feb 2014 18:30:13 -0000	1.30
+++ src/sys/secmodel/securelevel/secmodel_securelevel.c	24 Apr 2018 17:59:13 -0000
@@ -494,6 +494,11 @@ secmodel_securelevel_machdep_cb(kauth_cr
 			result = KAUTH_RESULT_DENY;
 		break;
 
+	case KAUTH_MACHDEP_SVS_DISABLE:
+		if (securelevel > 0)
+			result = KAUTH_RESULT_DENY;
+		break;
+
 	case KAUTH_MACHDEP_CPU_UCODE_APPLY:
 		if (securelevel > 1)
 			result = KAUTH_RESULT_DENY;
Index: src/sys/arch/x86/x86/svs.c
===================================================================
RCS file: /cvsroot/src/sys/arch/x86/x86/svs.c,v
retrieving revision 1.17
diff -p -u -u -r1.17 svs.c
--- src/sys/arch/x86/x86/svs.c	30 Mar 2018 19:58:05 -0000	1.17
+++ src/sys/arch/x86/x86/svs.c	24 Apr 2018 17:59:11 -0000
@@ -38,6 +38,7 @@ __KERNEL_RCSID(0, "$NetBSD: svs.c,v 1.17
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/cpu.h>
+#include <sys/kauth.h>
 #include <sys/sysctl.h>
 #include <sys/xcall.h>
 
@@ -737,11 +738,13 @@ sysctl_machdep_svs_enabled(SYSCTLFN_ARGS
 			error = 0;
 		else
 			error = EOPNOTSUPP;
-	} else {
-		if (svs_enabled)
+	} else if (svs_enabled) {
+		error = kauth_authorize_machdep(kauth_cred_get(),
+		    KAUTH_MACHDEP_SVS_DISABLE, NULL, NULL, NULL, NULL);
+		if (!error)
 			error = svs_disable();
-		else
-			error = 0;
+	} else {
+		error = 0;
 	}
 
 	return error;

Follow-Ups:
- Re: secmodel_securelevel(9) and machdep.svs.enabled
  - From: Alexander Nasonov

References:
- secmodel_securelevel(9) and machdep.svs.enabled
  - From: Alexander Nasonov

Prev by Date: rtsx(4) adding RTS525A
Next by Date: Re: rtsx(4) adding RTS525A
Previous by Thread: Re: secmodel_securelevel(9) and machdep.svs.enabled
Next by Thread: Re: secmodel_securelevel(9) and machdep.svs.enabled
Indexes:

Home | Main Index | Thread Index | Old Index