Alexander Nasonov wrote: > When securelevel is set, should be lock 1->0 change for > machdep.svs.enabled (and possibly for other sysctls related > to recent security mitigations)?
Can I commit the attached patch? (doc update will follow) -- Alex
Index: src/sys/sys/kauth.h =================================================================== RCS file: /cvsroot/src/sys/sys/kauth.h,v retrieving revision 1.75 diff -p -u -u -r1.75 kauth.h --- src/sys/sys/kauth.h 28 Aug 2017 00:46:07 -0000 1.75 +++ src/sys/sys/kauth.h 24 Apr 2018 17:59:13 -0000 @@ -320,7 +320,8 @@ enum { KAUTH_MACHDEP_NVRAM, KAUTH_MACHDEP_UNMANAGEDMEM, KAUTH_MACHDEP_PXG, - KAUTH_MACHDEP_X86PMC + KAUTH_MACHDEP_X86PMC, + KAUTH_MACHDEP_SVS_DISABLE }; /* Index: src/sys/secmodel/suser/secmodel_suser.c =================================================================== RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v retrieving revision 1.43 diff -p -u -u -r1.43 secmodel_suser.c --- src/sys/secmodel/suser/secmodel_suser.c 14 Jun 2017 17:48:41 -0000 1.43 +++ src/sys/secmodel/suser/secmodel_suser.c 24 Apr 2018 17:59:13 -0000 @@ -854,6 +854,7 @@ secmodel_suser_machdep_cb(kauth_cred_t c case KAUTH_MACHDEP_UNMANAGEDMEM: case KAUTH_MACHDEP_PXG: case KAUTH_MACHDEP_X86PMC: + case KAUTH_MACHDEP_SVS_DISABLE: if (isroot) result = KAUTH_RESULT_ALLOW; break; Index: src/sys/secmodel/securelevel/secmodel_securelevel.c =================================================================== RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v retrieving revision 1.30 diff -p -u -u -r1.30 secmodel_securelevel.c --- src/sys/secmodel/securelevel/secmodel_securelevel.c 25 Feb 2014 18:30:13 -0000 1.30 +++ src/sys/secmodel/securelevel/secmodel_securelevel.c 24 Apr 2018 17:59:13 -0000 @@ -494,6 +494,11 @@ secmodel_securelevel_machdep_cb(kauth_cr result = KAUTH_RESULT_DENY; break; + case KAUTH_MACHDEP_SVS_DISABLE: + if (securelevel > 0) + result = KAUTH_RESULT_DENY; + break; + case KAUTH_MACHDEP_CPU_UCODE_APPLY: if (securelevel > 1) result = KAUTH_RESULT_DENY; Index: src/sys/arch/x86/x86/svs.c =================================================================== RCS file: /cvsroot/src/sys/arch/x86/x86/svs.c,v retrieving revision 1.17 diff -p -u -u -r1.17 svs.c --- src/sys/arch/x86/x86/svs.c 30 Mar 2018 19:58:05 -0000 1.17 +++ src/sys/arch/x86/x86/svs.c 24 Apr 2018 17:59:11 -0000 @@ -38,6 +38,7 @@ __KERNEL_RCSID(0, "$NetBSD: svs.c,v 1.17 #include <sys/systm.h> #include <sys/proc.h> #include <sys/cpu.h> +#include <sys/kauth.h> #include <sys/sysctl.h> #include <sys/xcall.h> @@ -737,11 +738,13 @@ sysctl_machdep_svs_enabled(SYSCTLFN_ARGS error = 0; else error = EOPNOTSUPP; - } else { - if (svs_enabled) + } else if (svs_enabled) { + error = kauth_authorize_machdep(kauth_cred_get(), + KAUTH_MACHDEP_SVS_DISABLE, NULL, NULL, NULL, NULL); + if (!error) error = svs_disable(); - else - error = 0; + } else { + error = 0; } return error;