tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1BSD Secure Levels Linux Security Module
2Michael A. Halcrow <mike@halcrow.us>
3
4
5Introduction
6
7Under the BSD Secure Levels security model, sets of policies are
8associated with levels. Levels range from -1 to 2, with -1 being the
9weakest and 2 being the strongest. These security policies are
10enforced at the kernel level, so not even the superuser is able to
11disable or circumvent them. This hardens the machine against attackers
12who gain root access to the system.
13
14
15Levels and Policies
16
17Level -1 (Permanently Insecure):
18 - Cannot increase the secure level
19
20Level 0 (Insecure):
21 - Cannot ptrace the init process
22
23Level 1 (Default):
24 - /dev/mem and /dev/kmem are read-only
25 - IMMUTABLE and APPEND extended attributes, if set, may not be unset
26 - Cannot load or unload kernel modules
27 - Cannot write directly to a mounted block device
28 - Cannot perform raw I/O operations
29 - Cannot perform network administrative tasks
30 - Cannot setuid any file
31
32Level 2 (Secure):
33 - Cannot decrement the system time
34 - Cannot write to any block device, whether mounted or not
35 - Cannot unmount any mounted filesystems
36
37
38Compilation
39
40To compile the BSD Secure Levels LSM, seclvl.ko, enable the
41SECURITY_SECLVL configuration option. This is found under Security
42options -> BSD Secure Levels in the kernel configuration menu.
43
44
45Basic Usage
46
47Once the machine is in a running state, with all the necessary modules
48loaded and all the filesystems mounted, you can load the seclvl.ko
49module:
50
51# insmod seclvl.ko
52
53The module defaults to secure level 1, except when compiled directly
54into the kernel, in which case it defaults to secure level 0. To raise
55the secure level to 2, the administrator writes ``2'' to the
56seclvl/seclvl file under the sysfs mount point (assumed to be /sys in
57these examples):
58
59# echo -n "2" > /sys/seclvl/seclvl
60
61Alternatively, you can initialize the module at secure level 2 with
62the initlvl module parameter:
63
64# insmod seclvl.ko initlvl=2
65
66At this point, it is impossible to remove the module or reduce the
67secure level. If the administrator wishes to have the option of doing
68so, he must provide a module parameter, sha1_passwd, that specifies
69the SHA1 hash of the password that can be used to reduce the secure
70level to 0.
71
72To generate this SHA1 hash, the administrator can use OpenSSL:
73
74# echo -n "boogabooga" | openssl sha1
75abeda4e0f33defa51741217592bf595efb8d289c
76
77In order to use password-instigated secure level reduction, the SHA1
78crypto module must be loaded or compiled into the kernel:
79
80# insmod sha1.ko
81
82The administrator can then insmod the seclvl module, including the
83SHA1 hash of the password:
84
85# insmod seclvl.ko
86 sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c
87
88To reduce the secure level, write the password to seclvl/passwd under
89your sysfs mount point:
90
91# echo -n "boogabooga" > /sys/seclvl/passwd
92
93The September 2004 edition of Sys Admin Magazine has an article about
94the BSD Secure Levels LSM. I encourage you to refer to that article
95for a more in-depth treatment of this security module:
96
97http://www.samag.com/documents/s=9304/sam0409a/0409a.htm