Once securelevel has been increased, no process can decrease it because
kernel always refuse decreasing it. This is inconsistent with the
manual page of init:
The kernel runs with four different levels of security. Any super-user
process can raise the security level, but only init can lower it.
Is there any security problem to implement this? If no, could someone
review following patch?
kato
---------- BEGIN ----------
*** kern_mib.c.ORIG Mon Sep 6 13:46:40 1999
--- kern_mib.c Mon Sep 6 13:49:44 1999
***************
*** 178,184 ****
error = sysctl_handle_int(oidp, &level, 0, req);
if (error || !req->newptr)
return (error);
! if (level < securelevel)
return (EPERM);
securelevel = level;
return (error);
--- 178,184 ----
error = sysctl_handle_int(oidp, &level, 0, req);
if (error || !req->newptr)
return (error);
! if (level < securelevel && req->p->p_pid != 1)
return (EPERM);
securelevel = level;
return (error);
---------- END ----------
-----------------------------------------------+--------------------------+
KATO Takenori <[EMAIL PROTECTED]> | FreeBSD |
Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! |
Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ |
++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/|
++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message