Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the system state, including sensitive data such as
signing keys.
However, having some access to debugger functionality on production
systems may be useful in determining the cause of a panic or hang.
Therefore, it is desirable to have an optional policy which allows
limited use of ddb(4) while disabling the functionality which could
reveal system secrets.
This loadable MAC module allows for the use of some ddb(4) commands
while preventing the execution of others. The commands have been broadly
grouped into three categories:
- Those which are 'safe' and will not emit sensitive data (e.g. trace).
Generally, these commands are deterministic and don't accept
arguments.
- Those which are definitively unsafe (e.g. examine <addr>, search
<addr> <value>)
- Commands which may be safe to execute depending on the arguments
provided (e.g. show thread <addr>).
Safe commands have been flagged as such with the DB_CMD_MEMSAFE flag.
Commands requiring extra validation can provide a function to do so.
For example, 'show thread <addr>' can be used as long as addr can be
checked against the system's list of process structures.
The policy also prevents debugger backends other than ddb(4) from
executing, for example gdb(4).
Reviewed by: markj, pauamma_gundo.com (manpages)
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D35371
alowing the DDB output capture buffer to be easily extracted from
user space. Both of these commands include -M/-N arguments, allowing
them to be used with kernel crash dumps (or /dev/mem).
This makes it easier to use DDB scripting and output capture with
minidumps or full dumps rather than with text dumps, allowing DDB
output (scripted or otherwise) to be easily extracted from a crash
dump.
MFC after: 1 week
Discussed with: brooks, jhb
managed from userspace. It is largely a wrapper for sysctl()
calls, but because the sysctls for adding and removing scripts
are awkward to use directly, this provides an easier-to-use
interface.
MFC after: 3 months
