On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote: > Hi, > > This diff adjust the manpage of mem(4) to be more accurate. You can > open(2) mem(4) in securelevel 1 in readonly mode, but not writable. > > kern/spec_vnops.c: > > if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) { > ... > /* > * When running in secure mode, do not allow opens > * for writing of /dev/mem, /dev/kmem, or character > * devices whose corresponding block devices are > * currently mounted. > */ > if (securelevel >= 1) { > ... > if (iskmemdev(dev)) > return (EPERM); > } > } > > OK? > > bye, > Jan
Are you sure about that? Have you tested it? https://github.com/openbsd/src/commit/19aedf236181e81baf170421900911c82671fae4 > Index: man4.alpha/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.alpha/mem.4,v > retrieving revision 1.6 > diff -u -p -r1.6 mem.4 > --- man4.alpha/mem.4 12 Jan 2018 04:36:44 -0000 1.6 > +++ man4.alpha/mem.4 17 Jan 2023 18:51:10 -0000 > @@ -62,7 +62,7 @@ kernel virtual memory begins at > .Li 0xfffffc0000230000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.amd64/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.amd64/mem.4,v > retrieving revision 1.6 > diff -u -p -r1.6 mem.4 > --- man4.amd64/mem.4 12 Jan 2018 04:36:44 -0000 1.6 > +++ man4.amd64/mem.4 17 Jan 2023 18:48:23 -0000 > @@ -63,7 +63,7 @@ The kernel virtual memory begins at addr > .Li 0xffffffff80000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.hppa/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.hppa/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.hppa/mem.4 12 Jan 2018 04:36:44 -0000 1.4 > +++ man4.hppa/mem.4 17 Jan 2023 18:52:28 -0000 > @@ -51,7 +51,7 @@ On hppa, the physical memory range is al > address 0; kernel virtual memory begins at address 0 as well. > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.i386/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.i386/mem.4,v > retrieving revision 1.12 > diff -u -p -r1.12 mem.4 > --- man4.i386/mem.4 12 Jan 2018 04:36:44 -0000 1.12 > +++ man4.i386/mem.4 17 Jan 2023 18:53:00 -0000 > @@ -63,7 +63,7 @@ long, and ends at virtual address > .Li 0xfe000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.landisk/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.landisk/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.landisk/mem.4 12 Jan 2018 04:36:44 -0000 1.4 > +++ man4.landisk/mem.4 17 Jan 2023 18:53:54 -0000 > @@ -58,7 +58,7 @@ The kernel virtual memory begins at addr > .Li 0xc0000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.loongson/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.loongson/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.loongson/mem.4 12 Jan 2018 04:36:44 -0000 1.4 > +++ man4.loongson/mem.4 17 Jan 2023 18:54:33 -0000 > @@ -88,7 +88,7 @@ The kernel virtual memory begins at addr > .Ad 0xc000000000000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.luna88k/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.luna88k/mem.4,v > retrieving revision 1.4 > diff -u -p -r1.4 mem.4 > --- man4.luna88k/mem.4 12 Jan 2018 04:36:44 -0000 1.4 > +++ man4.luna88k/mem.4 17 Jan 2023 18:54:47 -0000 > @@ -62,7 +62,7 @@ kernel virtual memory begins at > .Ad 0x00000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.macppc/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.macppc/mem.4,v > retrieving revision 1.7 > diff -u -p -r1.7 mem.4 > --- man4.macppc/mem.4 12 Jan 2018 04:36:44 -0000 1.7 > +++ man4.macppc/mem.4 17 Jan 2023 18:55:18 -0000 > @@ -62,7 +62,7 @@ kernel virtual memory begins at > .Ad 0x00000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > Index: man4.sparc64/mem.4 > =================================================================== > RCS file: /cvs/src/share/man/man4/man4.sparc64/mem.4,v > retrieving revision 1.6 > diff -u -p -r1.6 mem.4 > --- man4.sparc64/mem.4 12 Jan 2018 04:36:44 -0000 1.6 > +++ man4.sparc64/mem.4 17 Jan 2023 18:55:36 -0000 > @@ -64,7 +64,7 @@ kernel virtual memory begins at > .Li 0x001000000 . > .Pp > Even with sufficient file system permissions, > -these devices can only be opened when the > +these devices can only be opened writable when the > .Xr securelevel 7 > is insecure or when the > .Va kern.allowkmem > >