o Introduce kern.security.bsd.unprivileged_read_msgbuf, which allows
the administrator to restrict access to the kernel message buffer. It defaults to '1', which permits access, but if set to '0', requires that the process making the sysctl() have appropriate privilege. o Note that for this to be effective, access to this data via system logs derived from /dev/klog must also be limited. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
Robert Watson
parent
fdd5b232b2
commit
6f3933fa6f
@ -819,12 +819,25 @@ msgbufinit(void *ptr, size_t size)
|
||||
oldp = msgbufp;
|
||||
}
|
||||
|
||||
SYSCTL_DECL(_kern_security_bsd);
|
||||
|
||||
static int unprivileged_read_msgbuf = 1;
|
||||
SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
|
||||
CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
|
||||
"Unprivileged processes may read the kernel message buffer");
|
||||
|
||||
/* Sysctls for accessing/clearing the msgbuf */
|
||||
static int
|
||||
sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!unprivileged_read_msgbuf) {
|
||||
error = suser_td(req->td);
|
||||
if (error)
|
||||
return (error);
|
||||
}
|
||||
|
||||
/*
|
||||
* Unwind the buffer, so that it's linear (possibly starting with
|
||||
* some initial nulls).
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user