chflags schg on secure level higher than 0

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Sébastien_BINI <Sebastien.BINI_at_stormshield.eu>
Date: Wed, 07 Sep 2022 12:49:37 UTC

Hi,


I have been playing with secure levels on FreeBSD, in an attempt to further improve the security of our FreeBSD products. The combination of secure level and the system immutable flag is quite appealing as we can then protect sensitive files.


However I am concerned by the fact that the schg flag can still be added regardless of the secure level. That means that anyone with root access could add this flag on unexpected files, which may lead to some programs malfunctions (in our case, some well placed flag may even prevent any software upgrade...). Once they are set, those flags are difficult to remove because of the secure level.


I would have found more logical that the secure level higher than 0 would simply prevent any SF_* flag from being set. We could easily write some MAC callback to protect ourselves against this, but is there a reason I am not seeing on why this is not the default behavior? Why does FreeBSD allow setting the schg flag if the secure level is 1 or higher?


Best regards,

Sébastien