From d0615c64a5448ad63ade0b793516145efc846d31 Mon Sep 17 00:00:00 2001 From: "Andrew R. Reiter" Date: Wed, 16 Jan 2002 06:55:30 +0000 Subject: [PATCH] - Attempt to help declutter kern. sysctl by moving security out from beneath it. Reviewed by: rwatson --- sbin/sysctl/sysctl.8 | 10 +++++----- share/doc/papers/jail/mgt.ms | 2 +- sys/kern/kern_cap.c | 4 ++-- sys/kern/kern_jail.c | 10 +++++----- sys/kern/kern_mib.c | 2 ++ sys/kern/kern_prot.c | 15 +++++++-------- sys/kern/subr_prf.c | 4 ++-- usr.sbin/jail/jail.8 | 12 ++++++------ 8 files changed, 30 insertions(+), 29 deletions(-) diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8 index ec2e0540acb4..3790c6d98112 100644 --- a/sbin/sysctl/sysctl.8 +++ b/sbin/sysctl/sysctl.8 @@ -136,7 +136,7 @@ For a detailed description of these variable see .Pp The changeable column indicates whether a process with appropriate privilege can change the value. -.Bl -column kern.security.bsd.unprivileged_read_msgbuf integerxxx +.Bl -column security.bsd.unprivileged_read_msgbuf integerxxx .It Sy "Name Type Changeable .It "kern.ostype string no .It "kern.osrelease string no @@ -165,10 +165,10 @@ privilege can change the value. .It "kern.bootfile string yes .It "kern.corefile string yes .It "kern.logsigexit integer yes -.It "kern.security.bsd.suser_enabled integer yes -.It "kern.security.bsd.see_other_uids integer yes -.It "kern.security.bsd.unprivileged_proc_debug integer yes -.It "kern.security.bsd.unprivileged_read_msgbuf integer yes +.It "security.bsd.suser_enabled integer yes +.It "security.bsd.see_other_uids integer yes +.It "security.bsd.unprivileged_proc_debug integer yes +.It "security.bsd.unprivileged_read_msgbuf integer yes .It "vm.loadavg struct no .It "hw.machine string no .It "hw.model string no diff --git a/share/doc/papers/jail/mgt.ms b/share/doc/papers/jail/mgt.ms index 524dae00dbe6..e2835d7f4947 100644 --- a/share/doc/papers/jail/mgt.ms +++ b/share/doc/papers/jail/mgt.ms @@ -193,7 +193,7 @@ jails to set the hostname of the jail, which makes the status file less useful from a management perspective if the contents of the jail are malicious. To prevent a jail from changing its hostname, the -"kern.security.jail.set_hostname_allowed" sysctl may be set to 0 prior to +"security.jail.set_hostname_allowed" sysctl may be set to 0 prior to starting any jails. .PP One aspect immediately observable in an environment with multiple jails diff --git a/sys/kern/kern_cap.c b/sys/kern/kern_cap.c index c9be68d4e4fc..caa1f1a14baa 100644 --- a/sys/kern/kern_cap.c +++ b/sys/kern/kern_cap.c @@ -61,9 +61,9 @@ static int capabilities_enabled = 0; -SYSCTL_NODE(_kern_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, +SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "POSIX.1e Capabilities"); -SYSCTL_INT(_kern_security_capabilities, OID_AUTO, enabled, CTLFLAG_RW, +SYSCTL_INT(_security_capabilities, OID_AUTO, enabled, CTLFLAG_RW, &capabilities_enabled, 0, "POSIX.1e Capabilities enabled"); #endif diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 01ddc1e65e16..0ae8d3fad96d 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -28,24 +28,24 @@ MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); -SYSCTL_DECL(_kern_security); -SYSCTL_NODE(_kern_security, OID_AUTO, jail, CTLFLAG_RW, 0, +SYSCTL_DECL(_security); +SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, "Jail rules"); mp_fixme("these variables need a lock") int jail_set_hostname_allowed = 1; -SYSCTL_INT(_kern_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, &jail_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); int jail_socket_unixiproute_only = 1; -SYSCTL_INT(_kern_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, &jail_socket_unixiproute_only, 0, "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); int jail_sysvipc_allowed = 0; -SYSCTL_INT(_kern_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, &jail_sysvipc_allowed, 0, "Processes in jail can use System V IPC primitives"); diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index a83b5dfc0ed2..c5ac74771fbe 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -77,6 +77,8 @@ SYSCTL_NODE(, CTL_P1003_1B, p1003_1b, CTLFLAG_RW, 0, SYSCTL_NODE(, OID_AUTO, compat, CTLFLAG_RW, 0, "Compatibility code"); +SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW, 0, + "Security"); #ifdef REGRESSION SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0, "Regression test MIB"); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 6164a44004a0..4214cc1ddf40 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -63,9 +63,8 @@ static MALLOC_DEFINE(M_CRED, "cred", "credentials"); -SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, - "Kernel security policy"); -SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0, +SYSCTL_DECL(_security); +SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); #ifndef _SYS_SYSPROTO_H_ @@ -1190,7 +1189,7 @@ groupmember(gid, cred) } /* - * `suser_enabled' (which can be set by the kern.security.suser_enabled + * `suser_enabled' (which can be set by the security.suser_enabled * sysctl) determines whether the system 'super-user' policy is in effect. * If it is nonzero, an effective uid of 0 connotes special privilege, * overriding many mandatory and discretionary protections. If it is zero, @@ -1200,9 +1199,9 @@ groupmember(gid, cred) * consideration of the consequences. */ int suser_enabled = 1; -SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, +SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, &suser_enabled, 0, "processes with uid 0 have privilege"); -TUNABLE_INT("kern.security.bsd.suser_enabled", &suser_enabled); +TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); /* * Test whether the specified credentials imply "super-user" privilege. @@ -1312,7 +1311,7 @@ securelevel_ge(struct ucred *cr, int level) * XXX: data declarations should be together near the beginning of the file. */ static int see_other_uids = 1; -SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, +SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, &see_other_uids, 0, "Unprivileged processes may see subjects/objects with different real uid"); @@ -1491,7 +1490,7 @@ p_cansched(struct proc *p1, struct proc *p2) * XXX: data declarations should be together near the beginning of the file. */ static int unprivileged_proc_debug = 1; -SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, +SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, &unprivileged_proc_debug, 0, "Unprivileged processes may use process debugging facilities"); diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index fcb2dd5efc94..164bbf770865 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -819,10 +819,10 @@ msgbufinit(void *ptr, size_t size) oldp = msgbufp; } -SYSCTL_DECL(_kern_security_bsd); +SYSCTL_DECL(_security_bsd); static int unprivileged_read_msgbuf = 1; -SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_read_msgbuf, +SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, CTLFLAG_RW, &unprivileged_read_msgbuf, 0, "Unprivileged processes may read the kernel message buffer"); diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 7595e007bcdf..3866d19c9ec9 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -233,7 +233,7 @@ script from within the jail. .Pp NOTE: If you plan to allow untrusted users to have root access inside the jail, you may wish to consider setting the -.Va kern.security.jail.set_hostname_allowed +.Va security.jail.set_hostname_allowed to 0. Please see the management reasons why this is a good idea. If you do decide to set this variable, @@ -311,14 +311,14 @@ default, modified from within the jail, so the status entry is unreliable by default. To disable the setting of the hostname from within a jail, set the -.Va kern.security.jail.set_hostname_allowed +.Va security.jail.set_hostname_allowed sysctl variable in the host environment to 0, which will affect all jails. You can have this sysctl set on each boot using .Xr sysctl.conf 5 . Just add the following line to .Pa /etc/sysctl.conf : .Pp -.Dl kern.security.jail.set_hostname_allowed=0 +.Dl security.jail.set_hostname_allowed=0 .Pp In a future version of .Fx , @@ -332,7 +332,7 @@ MIB variables. Currently, these variables affect all jails on the system, although in the future this functionality may be finer grained. .Bl -tag -width XXX -.It Va kern.security.jail.set_hostname_allowed +.It Va security.jail.set_hostname_allowed This MIB entry determines whether or not processes within a jail are allowed to change their hostname via .Xr hostname 1 @@ -344,7 +344,7 @@ information in .Pa /proc . As such, this should be disabled in environments where privileged access to jails is given out to untrusted parties. -.It Va kern.security.jail.socket_unixiproute_only +.It Va security.jail.socket_unixiproute_only The jail functionality binds an IPv4 address to each jail, and limits access to other network addresses in the IPv4 space that may be available in the host environment. @@ -361,7 +361,7 @@ domain sockets, IPv4 addresses, and routing sockets. To enable access to other domains, this MIB variable may be set to 0. -.It Va kern.security.jail.sysvipc_allowed +.It Va security.jail.sysvipc_allowed This MIB entry determines whether or not processes within a jail have access to System V IPC primitives. In the current jail implementation, System V primitives share a single