diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2022-10-25 17:57:44 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2023-03-30 14:45:00 +0000 |
| commit | cab1056105e3fdadf6f2b8cc745cfecfb0411755 (patch) | |
| tree | ba329fff250058bd1d4b536d64966911c387b01a | |
| parent | 45e405603b7f4d33372f32c80453ab5cd0d8fdcf (diff) | |
| download | src-cab1056105e3fdadf6f2b8cc745cfecfb0411755.tar.gz src-cab1056105e3fdadf6f2b8cc745cfecfb0411755.zip | |
kdb: Modify securelevel policy
Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel, see commit 3d7618d8bf0b7. However, the newer mac_ddb(4)
restricts DDB operations which could be abused to lower securelevel
while retaining some ability to gather useful debugging information.
To enable the use of KDB (specifically, DDB) on systems with a raised
securelevel, change the KDB sysctl policy: rather than relying on
CTLFLAG_SECURE, add a check of the current securelevel to kdb_trap().
If the securelevel is raised, only pass control to the backend if MAC
specifically grants access; otherwise simply check to see if mac_ddb
vetoes the request, as before.
Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour. That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.
Reviewed by: mhorne, stevek
MFC after: 1 month
Sponsored by: Juniper Networks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D37122
| -rw-r--r-- | share/man/man7/security.7 | 7 | ||||
| -rw-r--r-- | sys/kern/kern_shutdown.c | 12 | ||||
| -rw-r--r-- | sys/kern/subr_kdb.c | 46 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
| -rw-r--r-- | sys/security/mac/mac_kdb.c | 9 |
5 files changed, 59 insertions, 16 deletions
diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index f87833ece112..e3f11765d083 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 29, 2022 +.Dd March 30, 2023 .Dt SECURITY 7 .Os .Sh NAME @@ -537,7 +537,10 @@ kernel modules (see may not be loaded or unloaded. The kernel debugger may not be entered using the .Va debug.kdb.enter -sysctl. +sysctl unless a +.Xr MAC 9 +policy grants access, for example using +.Xr mac_ddb 4 . A panic or trap cannot be forced using the .Va debug.kdb.panic , .Va debug.kdb.panic_str diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c index 70de6b691fd3..4544e217802d 100644 --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -129,18 +129,18 @@ int debugger_on_panic = 0; int debugger_on_panic = 1; #endif SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_panic, 0, "Run debugger on kernel panic"); + CTLFLAG_RWTUN, &debugger_on_panic, 0, + "Run debugger on kernel panic"); static bool debugger_on_recursive_panic = false; SYSCTL_BOOL(_debug, OID_AUTO, debugger_on_recursive_panic, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_recursive_panic, 0, "Run debugger on recursive kernel panic"); + CTLFLAG_RWTUN, &debugger_on_recursive_panic, 0, + "Run debugger on recursive kernel panic"); int debugger_on_trap = 0; SYSCTL_INT(_debug, OID_AUTO, debugger_on_trap, - CTLFLAG_RWTUN | CTLFLAG_SECURE, - &debugger_on_trap, 0, "Run debugger on kernel trap before panic"); + CTLFLAG_RWTUN, &debugger_on_trap, 0, + "Run debugger on kernel trap before panic"); #ifdef KDB_TRACE static int trace_on_panic = 1; diff --git a/sys/kern/subr_kdb.c b/sys/kern/subr_kdb.c index b1bf197be3dc..ff981cdfe47c 100644 --- a/sys/kern/subr_kdb.c +++ b/sys/kern/subr_kdb.c @@ -77,6 +77,7 @@ struct trapframe *kdb_frame = NULL; static int kdb_break_to_debugger = KDB_BREAK_TO_DEBUGGER; static int kdb_alt_break_to_debugger = KDB_ALT_BREAK_TO_DEBUGGER; +static int kdb_enter_securelevel = 0; KDB_BACKEND(null, NULL, NULL, NULL, NULL); @@ -103,7 +104,7 @@ SYSCTL_PROC(_debug_kdb, OID_AUTO, current, "currently selected KDB backend"); SYSCTL_PROC(_debug_kdb, OID_AUTO, enter, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_MPSAFE, NULL, 0, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, 0, kdb_sysctl_enter, "I", "set to enter the debugger"); @@ -133,13 +134,18 @@ SYSCTL_PROC(_debug_kdb, OID_AUTO, stack_overflow, "set to cause a stack overflow"); SYSCTL_INT(_debug_kdb, OID_AUTO, break_to_debugger, - CTLFLAG_RWTUN | CTLFLAG_SECURE, + CTLFLAG_RWTUN, &kdb_break_to_debugger, 0, "Enable break to debugger"); SYSCTL_INT(_debug_kdb, OID_AUTO, alt_break_to_debugger, - CTLFLAG_RWTUN | CTLFLAG_SECURE, + CTLFLAG_RWTUN, &kdb_alt_break_to_debugger, 0, "Enable alternative break to debugger"); +SYSCTL_INT(_debug_kdb, OID_AUTO, enter_securelevel, + CTLFLAG_RWTUN | CTLFLAG_SECURE, + &kdb_enter_securelevel, 0, + "Maximum securelevel to enter a KDB backend"); + /* * Flag to indicate to debuggers why the debugger was entered. */ @@ -489,6 +495,34 @@ kdb_dbbe_select(const char *name) return (EINVAL); } +static bool +kdb_backend_permitted(struct kdb_dbbe *be, struct ucred *cred) +{ + int error; + + error = securelevel_gt(cred, kdb_enter_securelevel); +#ifdef MAC + /* + * Give MAC a chance to weigh in on the policy: if the securelevel is + * not raised, then MAC may veto the backend, otherwise MAC may + * explicitly grant access. + */ + if (error == 0) { + error = mac_kdb_check_backend(be); + if (error != 0) { + printf("MAC prevented execution of KDB backend: %s\n", + be->dbbe_name); + return (false); + } + } else if (mac_kdb_grant_backend(be) == 0) { + error = 0; + } +#endif + if (error != 0) + printf("refusing to enter KDB with elevated securelevel\n"); + return (error == 0); +} + /* * Enter the currently selected debugger. If a message has been provided, * it is printed first. If the debugger does not support the enter method, @@ -733,15 +767,11 @@ kdb_trap(int type, int code, struct trapframe *tf) cngrab(); for (;;) { -#ifdef MAC - if (mac_kdb_check_backend(be) != 0) { - printf("MAC prevented execution of KDB backend: %s\n", - be->dbbe_name); + if (!kdb_backend_permitted(be, curthread->td_ucred)) { /* Unhandled breakpoint traps are fatal. */ handled = 1; break; } -#endif handled = be->dbbe_trap(type, code); if (be == kdb_dbbe) break; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 31951c97a69e..8a1de6fe13e1 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -214,6 +214,7 @@ void mac_ipq_reassemble(struct ipq *q, struct mbuf *m); void mac_ipq_update(struct mbuf *m, struct ipq *q); int mac_kdb_check_backend(struct kdb_dbbe *be); +int mac_kdb_grant_backend(struct kdb_dbbe *be); int mac_kenv_check_dump(struct ucred *cred); int mac_kenv_check_get(struct ucred *cred, char *name); diff --git a/sys/security/mac/mac_kdb.c b/sys/security/mac/mac_kdb.c index 9082ec7d4580..08bb3eb743f1 100644 --- a/sys/security/mac/mac_kdb.c +++ b/sys/security/mac/mac_kdb.c @@ -40,6 +40,15 @@ #include <security/mac/mac_policy.h> int +mac_kdb_grant_backend(struct kdb_dbbe *be) +{ + int error = 0; + + MAC_POLICY_GRANT_NOSLEEP(kdb_check_backend, be); + return (error); +} + +int mac_kdb_check_backend(struct kdb_dbbe *be) { int error = 0; |