diff options
| author | nsayer <nsayer@FreeBSD.org> | 1999-04-07 19:48:09 +0000 |
|---|---|---|
| committer | nsayer <nsayer@FreeBSD.org> | 1999-04-07 19:48:09 +0000 |
| commit | 4d675dd8bfaf2390f5816b9ce29efd07d15db1a4 (patch) | |
| tree | c72c438131a6756a85e284d6c751907d3a13373a /sys/kern/kern_time.c | |
| parent | 32c3652183b8a0a36d2ca88e7e71b7276250bae4 (diff) | |
| download | FreeBSD-src-4d675dd8bfaf2390f5816b9ce29efd07d15db1a4.zip FreeBSD-src-4d675dd8bfaf2390f5816b9ce29efd07d15db1a4.tar.gz | |
More secure clock management. Allow positive steps only once per second
for as much as one second, but no more. Allows a miscreant to
double-time march the clock, but no worse.
XXX Unlike putting negative deltas in a while(1), performing small
positive steps inside of a while(1) will return EPERM for the
unpermitted ones. Repeated negative deltas are clamped without
error (but the kernel does log a notice).
Diffstat (limited to 'sys/kern/kern_time.c')
| -rw-r--r-- | sys/kern/kern_time.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 15eed4a..e6921ea 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)kern_time.c 8.1 (Berkeley) 6/10/93 - * $Id: kern_time.c,v 1.62 1999/04/07 16:36:56 nsayer Exp $ + * $Id: kern_time.c,v 1.63 1999/04/07 17:32:21 mjacob Exp $ */ #include <sys/param.h> @@ -79,7 +79,7 @@ settime(tv) struct timeval *tv; { struct timeval delta, tv1, tv2; - static struct timeval maxtime; + static struct timeval maxtime, laststep; struct timespec ts; int s; @@ -94,11 +94,15 @@ settime(tv) * time we have yet seen. The worst a miscreant can do in * this circumstance is "freeze" time. He couldn't go * back to the past. + * + * We similarly do not allow the clock to be stepped more + * than one second, nor more than once per second. This allows + * a miscreant to make the clock march double-time, but no worse. */ if (securelevel > 1) { if (delta.tv_sec < 0 || delta.tv_usec < 0) { /* - * Initialize maxtime if we've not seen it before. + * Update maxtime to latest time we've seen. */ if (tv1.tv_sec > maxtime.tv_sec) maxtime = tv1; @@ -109,14 +113,15 @@ settime(tv) printf("Time adjustment clamped to -1 second\n"); } } else { - /* - * XXX - * We have to figure out how to be secure - * in this case. Allowing arbitrary - * positive increases allows a miscreant - * to simply wrap time around the end - * of time. - */ + if (tv1.tv_sec == laststep.tv_sec) { + splx(s); + return (EPERM); + } + if (delta.tv_sec > 1) { + tv->tv_sec = tv1.tv_sec + 1; + printf("Time adjustment clamped to +1 second\n"); + } + laststep = *tv; } } |
