On Sun, 15 Jun 2008 15:26:39 -0400 Coleman Kane <cokane_at_FreeBSD.org> mentioned: > I think the anti-foot-shooting measures referred to above were also > taking into consideration for security reasons. It might be valuable for > someone to be able to configure this feature to be rdmsr-only, thereby > limiting potential harm vectors in the event that an attacker is likely > to crack access to the system for supervisory privileges. This would be > a legitimate consideration to make, especially so that the module could > at least provide a sane "safe operating mode" to those that would > benefit from read-only access. > > So, for example, I would consider most crackers to be skilled enough to > inject an ioctl call somewhere, even if the primary user of the system > is not so skilled., but they want to use software written by others that > makes use of this interface. On the other hand, providing extra security levels via sysctl looks slightly overkill to me, as if the attacker would be able to issue a ioctl call somewhere it would be easy to him to make a sysctl call as well. Priv(9) checks and/or securelevels could be used to limit the usage of this functionality. Furthermore, there're a lot of other possible ways to execure an msr instructions, including loading your own simple kernel object. -- Stanislav Sedov ST4096-RIPE
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:32 UTC