SEO

This patch causes a kernel in securelevel 3+ to deny the use of mount
and umount.

My inspiration for doing this is for running a nethack tournament
server; I don't trust everything that will be running on the machine
(*) but this will make it more difficult for an errant/evil script to
remount my filesystems with permissions I'd rather not give out (like
exec or suid). I'm sure others can find other uses for this. So far
this hasn't broken my laptop any, and as far as I can tell, this is
the right place for the tests. Why 3? Because I wasn't sure that this
level of paranoia was right for level 2, and I was sure that it was
not right for level 1.

Yeah, go ahead and tell me I'm on crack.

(*) If I don't trust it, why am I running it? And why am I running it
with that much privilege that I have to worry. Etc.

Index: securelevel.7
================================================== =================
RCS file: /cvs/src/share/man/man7/securelevel.7,v
retrieving revision 1.15
diff -u -r1.15 securelevel.7
--- securelevel.7 2004/01/08 10:56:07 1.15
+++ securelevel.7 2004/10/30 06:11:28
@@ -105,6 +105,16 @@
.Xr sysctl 8
variables may not be raised
.El
+.It \ 3 Em Paranoid mode
+.Bl -hyphen -compact
+.It
+all effects of securelevel 2
+.It
+The
+.Xr mount 2
+and
+.Xr unmount 2
+system calls may not be used to mount, unmount or alter filesystems.
.El
.Sh DESCRIPTION
Securelevel provides convenient means of



Index: vfs_syscalls.c
================================================== =================
RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.118
diff -u -r1.118 vfs_syscalls.c
--- vfs_syscalls.c 2004/09/16 10:37:41 1.118
+++ vfs_syscalls.c 2004/10/30 06:11:47
@@ -60,6 +60,7 @@

extern int suid_clear;
int usermount = 0; /* sysctl: by default, users may not mount */
+extern int securelevel; /* sysctl: used here to control (u)?mount */

static int change_dir(struct nameidata *, struct proc *);

@@ -111,6 +112,10 @@
if (usermount == 0 && (error = suser(p, 0)))
return (error);

+ /* if the securelevel is above 2, deny the use of mount() */
+ if (securelevel > 2)
+ return (EPERM);
+
/*
* Mount points must fit in MNAMELEN, not MAXPATHLEN.
*/
@@ -391,6 +396,10 @@
struct mount *mp;
int error;
struct nameidata nd;
+
+ /* if the securelevel is above 2, deny the use of unmount() */
+ if (securelevel > 2)
+ return (EPERM);

NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
SCARG(uap, path), p);

--
GDB has a 'break' feature; why doesn't it have 'fix' too?