CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/07/15 15:20:08
Modified files:
sys/kern : kern_time.c
Log message:
settimeofday(2): securelevel 2: prevent root from freezing the UTC clock
At securelevel 2 we prevent root from rewinding the kernel UTC clock.
The rationale given in the comment is that this prevents a compromised
root from setting arbitrary timestamps on files.
I can't really speak to the efficacy of this mitigation, or to the
efficacy of the securelevel concept in general, but the implementation
of this mitigation is wrong. We need to check:
timespeccmp(ts, &now, <=)
instead of
timespeccmp(ts, &now, <)
like we do now.
Time is a continuous value that is always advancing. We must prevent
root from setting the kernel UTC clock to its current value in
addition to prior values. Setting the UTC clock to its current value
amounts to rewinding it even if we cannot actually measure the
difference with a timespec.
With this change, at securelevel 2, root can no longer completely
freeze the UTC clock.
