On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote:
> Hi,
>
> This diff adjust the manpage of mem(4) to be more accurate. You can
> open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
>
> kern/spec_vnops.c:
>
> if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
> ...
> /*
> * When running in secure mode, do not allow opens
> * for writing of /dev/mem, /dev/kmem, or character
> * devices whose corresponding block devices are
> * currently mounted.
> */
> if (securelevel >= 1) {
> ...
> if (iskmemdev(dev))
> return (EPERM);
> }
> }
>
> OK?
>
> bye,
> Jan
Are you sure about that? Have you tested it?
https://github.com/openbsd/src/commit/19aedf236181e81baf170421900911c82671fae4
> Index: man4.alpha/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.alpha/mem.4 12 Jan 2018 04:36:44 -0000 1.6
> +++ man4.alpha/mem.4 17 Jan 2023 18:51:10 -0000
> @@ -62,7 +62,7 @@ kernel virtual memory begins at
> .Li 0xfffffc0000230000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.amd64/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.amd64/mem.4 12 Jan 2018 04:36:44 -0000 1.6
> +++ man4.amd64/mem.4 17 Jan 2023 18:48:23 -0000
> @@ -63,7 +63,7 @@ The kernel virtual memory begins at addr
> .Li 0xffffffff80000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.hppa/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.hppa/mem.4 12 Jan 2018 04:36:44 -0000 1.4
> +++ man4.hppa/mem.4 17 Jan 2023 18:52:28 -0000
> @@ -51,7 +51,7 @@ On hppa, the physical memory range is al
> address 0; kernel virtual memory begins at address 0 as well.
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.i386/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v
> retrieving revision 1.12
> diff -u -p -r1.12 mem.4
> --- man4.i386/mem.4 12 Jan 2018 04:36:44 -0000 1.12
> +++ man4.i386/mem.4 17 Jan 2023 18:53:00 -0000
> @@ -63,7 +63,7 @@ long, and ends at virtual address
> .Li 0xfe000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.landisk/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.landisk/mem.4 12 Jan 2018 04:36:44 -0000 1.4
> +++ man4.landisk/mem.4 17 Jan 2023 18:53:54 -0000
> @@ -58,7 +58,7 @@ The kernel virtual memory begins at addr
> .Li 0xc0000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.loongson/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.loongson/mem.4 12 Jan 2018 04:36:44 -0000 1.4
> +++ man4.loongson/mem.4 17 Jan 2023 18:54:33 -0000
> @@ -88,7 +88,7 @@ The kernel virtual memory begins at addr
> .Ad 0xc000000000000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.luna88k/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v
> retrieving revision 1.4
> diff -u -p -r1.4 mem.4
> --- man4.luna88k/mem.4 12 Jan 2018 04:36:44 -0000 1.4
> +++ man4.luna88k/mem.4 17 Jan 2023 18:54:47 -0000
> @@ -62,7 +62,7 @@ kernel virtual memory begins at
> .Ad 0x00000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.macppc/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.macppc/mem.4,v
> retrieving revision 1.7
> diff -u -p -r1.7 mem.4
> --- man4.macppc/mem.4 12 Jan 2018 04:36:44 -0000 1.7
> +++ man4.macppc/mem.4 17 Jan 2023 18:55:18 -0000
> @@ -62,7 +62,7 @@ kernel virtual memory begins at
> .Ad 0x00000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
> Index: man4.sparc64/mem.4
> ===================================================================
> RCS file: /cvs/src/share/man/man4/man4.sparc64/mem.4,v
> retrieving revision 1.6
> diff -u -p -r1.6 mem.4
> --- man4.sparc64/mem.4 12 Jan 2018 04:36:44 -0000 1.6
> +++ man4.sparc64/mem.4 17 Jan 2023 18:55:36 -0000
> @@ -64,7 +64,7 @@ kernel virtual memory begins at
> .Li 0x001000000 .
> .Pp
> Even with sufficient file system permissions,
> -these devices can only be opened when the
> +these devices can only be opened writable when the
> .Xr securelevel 7
> is insecure or when the
> .Va kern.allowkmem
>
>
