Attachment #55812 for bug #84266




.\" SUCH DAMAGE.
.\"
.\"     @(#)init.8	8.3 (Berkeley) 4/18/94
.\" $FreeBSD:  Exp $
.\"
.Dd April 18, 1994
.Dt INIT 8

is marked as
.Dq secure .
.Pp
If the kernel security level (see
.Xr security 7 )
is initially nonzero, then
The security levels are:
.Bl -tag -width flag
.It Ic -1
Permanently insecure mode \- always run the system in level 0 mode.
This is the default initial value.
.It Ic 0
Insecure mode \- immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
.It Ic 1
Secure mode \- the system immutable and system append-only flags may not
be turned off;
disks for mounted file systems,
.Pa /dev/mem ,
.Pa /dev/kmem
and
.Pa /dev/io
(if your platform has it) may not be opened for writing;
kernel modules (see
.Xr kld 4 )
may not be loaded or unloaded.
.It Ic 2
Highly secure mode \- same as secure mode, plus disks may not be
opened for writing (except by
.Xr mount 2 )
whether mounted or not.
This level precludes tampering with file systems by unmounting them,
but also inhibits running
.Xr newfs 8
while the system is multi-user.
.Pp
In addition, kernel time changes are restricted to less than or equal to one
second.
Attempts to change the time by more than this will log the message
.Dq Time adjustment clamped to +1 second .
.It Ic 3
Network secure mode \- same as highly secure mode, plus
IP packet filter rules (see
.Xr ipfw 8 ,
.Xr ipfirewall 4
and
.Xr pfctl 8 )
cannot be changed and
.Xr dummynet 4
or
.Xr pf 4
configuration cannot be adjusted.
.El
.Pp
If the security level is initially nonzero, then
.Nm
leaves it unchanged.
Otherwise,

.Dq host system
will not be effected.
Part of the information set up in the kernel to support a jail
is a per-jail setting of the security level.
.Dq securelevel
setting.
This allows running a higher security level inside of a jail
than that of the host system.
See

.Xr kill 1 ,
.Xr login 1 ,
.Xr sh 1 ,
.Xr dummynet 4 ,
.Xr ipfirewall 4 ,
.Xr kld 4 ,
.Xr pf 4 ,
.Xr ttys 5 ,
.Xr crash 8 ,
.Xr getty 8 ,
.Xr halt 8 ,
.Xr ipfw 8 ,
.Xr jail 8 ,
.Xr pfctl 8 ,
.Xr rc 8 ,
.Xr reboot 8 ,
.Xr security 7 ,
.Xr shutdown 8 ,
.Xr sysctl 8
.Sh HISTORY

Return to bug 84266

Lines 29-35 Link Here

(-)/pr/work/init.8 (-63 / +6 lines)
29	.\" SUCH DAMAGE.	29	.\" SUCH DAMAGE.
30	.\"	30	.\"
31	.\" @(#)init.8 8.3 (Berkeley) 4/18/94	31	.\" @(#)init.8 8.3 (Berkeley) 4/18/94
32	.\" $FreeBSD: src/sbin/init/init.8,v 1.45 2004/07/22 10:38:13 keramida Exp $	32	.\" $FreeBSD: Exp $
33	.\"	33	.\"
34	.Dd April 18, 1994	34	.Dd April 18, 1994
35	.Dt INIT 8	35	.Dt INIT 8
Lines 87-144 Link Here
87	is marked as	87	is marked as
88	.Dq secure .	88	.Dq secure .
89	.Pp	89	.Pp
90	The kernel runs with five different levels of security.	90	If the kernel security level (see
91	Any super-user process can raise the security level, but no process	91	.Xr security 7 )
92	can lower it.	92	is initially nonzero, then
93	The security levels are:
94	.Bl -tag -width flag
95	.It Ic -1
96	Permanently insecure mode \- always run the system in level 0 mode.
97	This is the default initial value.
98	.It Ic 0
99	Insecure mode \- immutable and append-only flags may be turned off.
100	All devices may be read or written subject to their permissions.
101	.It Ic 1
102	Secure mode \- the system immutable and system append-only flags may not
103	be turned off;
104	disks for mounted file systems,
105	.Pa /dev/mem ,
106	.Pa /dev/kmem
107	and
108	.Pa /dev/io
109	(if your platform has it) may not be opened for writing;
110	kernel modules (see
111	.Xr kld 4 )
112	may not be loaded or unloaded.
113	.It Ic 2
114	Highly secure mode \- same as secure mode, plus disks may not be
115	opened for writing (except by
116	.Xr mount 2 )
117	whether mounted or not.
118	This level precludes tampering with file systems by unmounting them,
119	but also inhibits running
120	.Xr newfs 8
121	while the system is multi-user.
122	.Pp
123	In addition, kernel time changes are restricted to less than or equal to one
124	second.
125	Attempts to change the time by more than this will log the message
126	.Dq Time adjustment clamped to +1 second .
127	.It Ic 3
128	Network secure mode \- same as highly secure mode, plus
129	IP packet filter rules (see
130	.Xr ipfw 8 ,
131	.Xr ipfirewall 4
132	and
133	.Xr pfctl 8 )
134	cannot be changed and
135	.Xr dummynet 4
136	or
137	.Xr pf 4
138	configuration cannot be adjusted.
139	.El
140	.Pp
141	If the security level is initially nonzero, then
142	.Nm	93	.Nm
143	leaves it unchanged.	94	leaves it unchanged.
144	Otherwise,	95	Otherwise,
Lines 161-169 Link Here
161	.Dq host system	112	.Dq host system
162	will not be effected.	113	will not be effected.
163	Part of the information set up in the kernel to support a jail	114	Part of the information set up in the kernel to support a jail
164	is a per-jail	115	is a per-jail setting of the security level.
165	.Dq securelevel
166	setting.
167	This allows running a higher security level inside of a jail	116	This allows running a higher security level inside of a jail
168	than that of the host system.	117	than that of the host system.
169	See	118	See
Lines 392-410 Link Here
392	.Xr kill 1 ,	341	.Xr kill 1 ,
393	.Xr login 1 ,	342	.Xr login 1 ,
394	.Xr sh 1 ,	343	.Xr sh 1 ,
395	.Xr dummynet 4 ,
396	.Xr ipfirewall 4 ,
397	.Xr kld 4 ,
398	.Xr pf 4 ,
399	.Xr ttys 5 ,	344	.Xr ttys 5 ,
400	.Xr crash 8 ,
401	.Xr getty 8 ,	345	.Xr getty 8 ,
402	.Xr halt 8 ,	346	.Xr halt 8 ,
403	.Xr ipfw 8 ,
404	.Xr jail 8 ,	347	.Xr jail 8 ,
405	.Xr pfctl 8 ,
406	.Xr rc 8 ,	348	.Xr rc 8 ,
407	.Xr reboot 8 ,	349	.Xr reboot 8 ,
		350	.Xr security 7 ,
408	.Xr shutdown 8 ,	351	.Xr shutdown 8 ,
409	.Xr sysctl 8	352	.Xr sysctl 8
410	.Sh HISTORY	353	.Sh HISTORY