Eric Lee / smarc-ti-linux-kernel

Blame view

Documentation/seclvl.txt 3.01 KB
edit raw normal view history
1da177e4c   Linus Torvalds   Linux-2.6.12-rc2 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
  BSD Secure Levels Linux Security Module
  Michael A. Halcrow <mike@halcrow.us>
  
  
  Introduction
  
  Under the BSD Secure Levels security model, sets of policies are
  associated with levels. Levels range from -1 to 2, with -1 being the
  weakest and 2 being the strongest. These security policies are
  enforced at the kernel level, so not even the superuser is able to
  disable or circumvent them. This hardens the machine against attackers
  who gain root access to the system.
  
  
  Levels and Policies
  
  Level -1 (Permanently Insecure):
   - Cannot increase the secure level
  
  Level 0 (Insecure):
   - Cannot ptrace the init process
  
  Level 1 (Default):
   - /dev/mem and /dev/kmem are read-only
   - IMMUTABLE and APPEND extended attributes, if set, may not be unset
   - Cannot load or unload kernel modules
   - Cannot write directly to a mounted block device
   - Cannot perform raw I/O operations
   - Cannot perform network administrative tasks
   - Cannot setuid any file
  
  Level 2 (Secure):
   - Cannot decrement the system time
   - Cannot write to any block device, whether mounted or not
   - Cannot unmount any mounted filesystems
  
  
  Compilation
  
  To compile the BSD Secure Levels LSM, seclvl.ko, enable the
  SECURITY_SECLVL configuration option.  This is found under Security
  options -> BSD Secure Levels in the kernel configuration menu.
  
  
  Basic Usage
  
  Once the machine is in a running state, with all the necessary modules
  loaded and all the filesystems mounted, you can load the seclvl.ko
  module:
  
  # insmod seclvl.ko
  
  The module defaults to secure level 1, except when compiled directly
  into the kernel, in which case it defaults to secure level 0. To raise
  the secure level to 2, the administrator writes ``2'' to the
  seclvl/seclvl file under the sysfs mount point (assumed to be /sys in
  these examples):
  
  # echo -n "2" > /sys/seclvl/seclvl
  
  Alternatively, you can initialize the module at secure level 2 with
  the initlvl module parameter:
  
  # insmod seclvl.ko initlvl=2
  
  At this point, it is impossible to remove the module or reduce the
  secure level.  If the administrator wishes to have the option of doing
  so, he must provide a module parameter, sha1_passwd, that specifies
  the SHA1 hash of the password that can be used to reduce the secure
  level to 0.
  
  To generate this SHA1 hash, the administrator can use OpenSSL:
  
  # echo -n "boogabooga" | openssl sha1
  abeda4e0f33defa51741217592bf595efb8d289c
  
  In order to use password-instigated secure level reduction, the SHA1
  crypto module must be loaded or compiled into the kernel:
  
  # insmod sha1.ko
  
  The administrator can then insmod the seclvl module, including the
  SHA1 hash of the password:
  
  # insmod seclvl.ko
           sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c
  
  To reduce the secure level, write the password to seclvl/passwd under
  your sysfs mount point:
  
  # echo -n "boogabooga" > /sys/seclvl/passwd
  
  The September 2004 edition of Sys Admin Magazine has an article about
  the BSD Secure Levels LSM.  I encourage you to refer to that article
  for a more in-depth treatment of this security module:
  
  http://www.samag.com/documents/s=9304/sam0409a/0409a.htm