freebsd-nq/share/man/man7
Mark Johnston cab1056105 kdb: Modify securelevel policy
Currently, sysctls which enable KDB in some way are flagged with
CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0.
This is so that KDB cannot be used to lower a running system's
securelevel, see commit 3d7618d8bf.  However, the newer mac_ddb(4)
restricts DDB operations which could be abused to lower securelevel
while retaining some ability to gather useful debugging information.

To enable the use of KDB (specifically, DDB) on systems with a raised
securelevel, change the KDB sysctl policy: rather than relying on
CTLFLAG_SECURE, add a check of the current securelevel to kdb_trap().
If the securelevel is raised, only pass control to the backend if MAC
specifically grants access; otherwise simply check to see if mac_ddb
vetoes the request, as before.

Add a new secure sysctl, debug.kdb.enter_securelevel, to override this
behaviour.  That is, the sysctl lets one enter a KDB backend even with a
raised securelevel, so long as it is set before the securelevel is
raised.

Reviewed by:	mhorne, stevek
MFC after:	1 month
Sponsored by:	Juniper Networks
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D37122
2023-03-30 10:45:00 -04:00
..
arch.7 arch.7: Drop most mentions of MIPS. 2023-03-08 15:06:47 -08:00
ascii.7 ascii.7: Add full names of the control character set 2022-11-12 12:22:22 +01:00
bsd.snmpmod.mk.7
build.7 cleankernel: A target to delete the kernel compile file 2022-02-11 12:51:24 -07:00
c.7 c.7: Fix some typos 2021-04-20 10:33:34 +02:00
clocks.7 Remove kgmon(8) 2021-04-04 00:50:28 +03:00
crypto.7 Remove "All Rights Reserved" from Foundation copyrights 2022-06-30 10:54:30 -04:00
development.7 development(7): redirect users from hier(7) 2022-11-01 12:20:55 -03:00
environ.7 Indicate that xrefs to *roff,tbl,eqn et al are found in ports/textproc/groff. 2022-08-15 22:15:18 +02:00
ffs.7 Add HISTORY sections to build(7), crypto(7), 2020-05-03 09:54:19 +00:00
firewall.7
growfs.7 growfs(7): conditionalize mention of adding dump device 2023-01-23 08:37:07 -06:00
hier.7 Fix igor and mandoc -T lint low-hanging fruit in hier(7) 2022-11-23 22:40:16 +01:00
hostname.7 Remove spurious comma. 2019-04-09 10:17:24 +00:00
intro.7 intro.7: Add missing manual page 2020-11-19 16:57:45 +00:00
maclabel.7
Makefile Add sizeof(7) manual page 2022-12-13 06:43:28 +02:00
Makefile.depend
operator.7
orders.7 orders.7: Sync with NetBSD after CGPM 2022-11-20 19:24:57 +01:00
ports.7 Fix mdoc issues found by mandoc -Tlint. 2022-02-25 17:41:19 +01:00
release.7 release.7: Correct a variable name 2023-01-27 14:01:12 -05:00
sdoc.7
security.7 kdb: Modify securelevel policy 2023-03-30 10:45:00 -04:00
sizeof.7 sizeof(7): miscellaneous edits 2022-12-14 07:44:04 +02:00
sprog.7
stats.7 stats.7: Fix a typo 2022-03-04 12:35:55 +01:00
stdint.7
sticky.7
tests.7 update command to one that will actually give results 2022-05-10 20:14:20 -07:00
tuning.7 Track kern.ipc.somaxconn -> kern.ipc.soacceptqueue rename 2022-10-11 12:46:46 -04:00