d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
freebsd-nq/share/man/man7
History
Mark Johnston f5d6f7cb47 kdb: Modify securelevel policy 
Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel, see commit 3d7618d8bf0b7.  However, the newer mac_ddb(4)
restricts DDB operations which could be abused to lower securelevel
while retaining some ability to gather useful debugging information.

To enable the use of KDB (specifically, DDB) on systems with a raised
securelevel, change the KDB sysctl policy: rather than relying on
CTLFLAG_SECURE, add a check of the current securelevel to kdb_trap().
If the securelevel is raised, only pass control to the backend if MAC
specifically grants access; otherwise simply check to see if mac_ddb
vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour.  That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Reviewed by:	mhorne, stevek
MFC after:	1 month
Sponsored by:	Juniper Networks
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D37122
2023-04-03 04:14:02 -04:00
..
arch.7
arch.7: Drop most mentions of MIPS.
2023-04-03 04:10:00 -04:00
ascii.7
ascii.7: Add full names of the control character set
2022-11-12 12:22:22 +01:00
bsd.snmpmod.mk.7
Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while
2010-08-16 15:18:30 +00:00
build.7
cleankernel: A target to delete the kernel compile file
2022-02-11 12:51:24 -07:00
c.7
c.7: Fix some typos
2021-04-20 10:33:34 +02:00
clocks.7
Remove kgmon(8)
2021-04-04 00:50:28 +03:00
crypto.7
Remove "All Rights Reserved" from Foundation copyrights
2022-06-30 10:54:30 -04:00
development.7
development(7): redirect users from hier(7)
2022-11-01 12:20:55 -03:00
environ.7
Indicate that xrefs to *roff,tbl,eqn et al are found in ports/textproc/groff.
2022-08-15 22:15:18 +02:00
ffs.7
Add HISTORY sections to build(7), crypto(7),
2020-05-03 09:54:19 +00:00
firewall.7
mdoc sweep
2013-05-13 18:13:50 +00:00
growfs.7
growfs(7): conditionalize mention of adding dump device
2023-01-23 08:37:07 -06:00
hier.7
Fix igor and mandoc -T lint low-hanging fruit in hier(7)
2022-11-23 22:40:16 +01:00
hostname.7
Remove spurious comma.
2019-04-09 10:17:24 +00:00
intro.7
intro.7: Add missing manual page
2020-11-19 16:57:45 +00:00
maclabel.7
Makefile
Add sizeof(7) manual page
2022-12-13 06:43:28 +02:00
Makefile.depend
operator.7
orders.7
orders.7: Sync with NetBSD after CGPM
2022-11-20 19:24:57 +01:00
ports.7
Fix mdoc issues found by mandoc -Tlint.
2022-02-25 17:41:19 +01:00
release.7
release.7: Correct a variable name
2023-01-27 14:01:12 -05:00
sdoc.7
security.7
kdb: Modify securelevel policy
2023-04-03 04:14:02 -04:00
sizeof.7
sizeof(7): miscellaneous edits
2022-12-14 07:44:04 +02:00
sprog.7
stats.7
stats.7: Fix a typo
2022-03-04 12:35:55 +01:00
stdint.7
mdoc(7): Use the new feature of the .In macro.
2003-09-08 19:57:22 +00:00
sticky.7
tests.7
update command to one that will actually give results
2022-05-10 20:14:20 -07:00
tuning.7
Track kern.ipc.somaxconn -> kern.ipc.soacceptqueue rename
2022-10-11 12:46:46 -04:00