OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eli Dart (dartnersc.gov)
Date: Thu Oct 04 2001 - 12:35:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In reply to "Crist J. Clark" <cristjcearthlink.net> :

    [snip]

    > Have fun. Unless there is outpouring from people who love the idea,
    > I'm not going to commit these to FreeBSD.

    Please consider this as part of an outpouring of support from people
    who love the idea. I don't always have the option of running a box
    in securelevel 1, and I would like to have this knob available, even
    though it doesn't fix the problem all the way. Something similar
    used to exist in FreeBSD 3.x -- I was sorry when it went away.

                    --eli

    > --
    > Crist J. Clark cjclarkalum.mit.edu
    > cjclarkjhu.edu
    > cjcfreebsd.org
    >
    > --h31gzZEtNLTqOjlF
    > Content-Type: text/plain; charset=us-ascii
    > Content-Disposition: attachment; filename="sys_stable.patch"
    >
    > Index: sys/conf/options
    > ===================================================================
    > RCS file: /export/ncvs/src/sys/conf/options,v
    > retrieving revision 1.191.2.36
    > diff -u -r1.191.2.36 options
    > --- sys/conf/options 2001/09/15 00:50:35 1.191.2.36
    > +++ sys/conf/options 2001/10/04 08:21:10
    > -464,3 +464,6
    > FDC_DEBUG opt_fdc.h
    > PCFCLOCK_VERBOSE opt_pcfclock.h
    > PCFCLOCK_MAX_RETRIES opt_pcfclock.h
    > +
    > +# Disable loading and unloading of kernel modules
    > +NO_KLD opt_kern_linker.h
    > Index: sys/kern/kern_linker.c
    > ===================================================================
    > RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v
    > retrieving revision 1.41.2.2
    > diff -u -r1.41.2.2 kern_linker.c
    > --- sys/kern/kern_linker.c 2000/07/16 13:13:32 1.41.2.2
    > +++ sys/kern/kern_linker.c 2001/10/04 08:10:05
    > -27,6 +27,7
    > */
    >
    > #include "opt_ddb.h"
    > +#include "opt_kern_linker.h"
    >
    > #include <sys/param.h>
    > #include <sys/kernel.h>
    > -648,6 +649,10
    > int
    > kldload(struct proc* p, struct kldload_args* uap)
    > {
    > +#ifdef NO_KLD
    > + /* Always return error. */
    > + return EPERM;
    > +#else
    > char* filename = NULL, *modulename;
    > linker_file_t lf;
    > int error = 0;
    > -685,11 +690,16
    > if (filename)
    > free(filename, M_TEMP);
    > return error;
    > +#endif
    > }
    >
    > int
    > kldunload(struct proc* p, struct kldunload_args* uap)
    > {
    > +#ifdef NO_KLD
    > + /* Always fail. */
    > + return EPERM;
    > +#else
    > linker_file_t lf;
    > int error = 0;
    >
    > -716,6 +726,7
    >
    > out:
    > return error;
    > +#endif
    > }
    >
    > int
    >
    > --h31gzZEtNLTqOjlF
    > Content-Type: text/plain; charset=us-ascii
    > Content-Disposition: attachment; filename="sys_current.patch"
    >
    > Index: sys/conf/options
    > ===================================================================
    > RCS file: /export/ncvs/src/sys/conf/options,v
    > retrieving revision 1.295
    > diff -u -r1.295 options
    > --- sys/conf/options 2001/09/29 22:32:00 1.295
    > +++ sys/conf/options 2001/10/04 08:07:37
    > -526,3 +527,6
    >
    > # ed driver
    > ED_NO_MIIBUS opt_ed.h
    > +
    > +# Disable loading and unloading of kernel modules
    > +NO_KLD opt_kern_linker.h
    > Index: sys/i386/conf/NOTES
    > ===================================================================
    > RCS file: /export/ncvs/src/sys/i386/conf/NOTES,v
    > retrieving revision 1.961
    > diff -u -r1.961 NOTES
    > --- sys/i386/conf/NOTES 2001/09/29 22:31:57 1.961
    > +++ sys/i386/conf/NOTES 2001/10/04 08:07:51
    > -106,6 +106,10
    > #
    > options ROOTDEVNAME=\"ufs:da0s2e\"
    >
    > +# This prevents KLDs from being loaded at all. For those who want the
    > +# added security but cannot run at an elevated securelevel(8).
    > +#options NO_KLD
    > +
    >
    > #####################################################################
    > # SMP OPTIONS:
    > Index: sys/kern/kern_linker.c
    > ===================================================================
    > RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v
    > retrieving revision 1.69
    > diff -u -r1.69 kern_linker.c
    > --- sys/kern/kern_linker.c 2001/09/12 08:37:44 1.69
    > +++ sys/kern/kern_linker.c 2001/10/04 07:47:05
    > -27,6 +27,7
    > */
    >
    > #include "opt_ddb.h"
    > +#include "opt_kern_linker.h"
    >
    > #include <sys/param.h>
    > #include <sys/kernel.h>
    > -685,6 +686,10
    > int
    > kldload(struct thread* td, struct kldload_args* uap)
    > {
    > +#ifdef NO_KLD
    > + /* Always fail */
    > + return EPERM;
    > +#else
    > char *kldname, *modname;
    > char *pathname = NULL;
    > linker_file_t lf;
    > -727,6 +732,7
    > free(pathname, M_TEMP);
    > mtx_unlock(&Giant);
    > return (error);
    > +#endif
    > }
    >
    > /*
    > -735,6 +741,10
    > int
    > kldunload(struct thread* td, struct kldunload_args* uap)
    > {
    > +#ifdef NO_KLD
    > + /* Always fail */
    > + return EPERM;
    > +#else
    > linker_file_t lf;
    > int error = 0;
    >
    > -764,6 +774,7
    > out:
    > mtx_unlock(&Giant);
    > return (error);
    > +#endif
    > }
    >
    > /*
    >
    > --h31gzZEtNLTqOjlF--
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: This is a comment.

    iD8DBQE7vJ3mLTFEeF+CsrMRAtzVAKCKBeMdrN1POOyVUvEaa5jVQ9bDDwCgj7Li
    xr9Vxrm32E8N/QruZsl2fpY=
    =671C
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message