From 3d7618d8bf0b7b03c501318edb16573622a00160 Mon Sep 17 00:00:00 2001
From: "David E. O'Brien" <obrien@FreeBSD.org>
Date: Tue, 13 Dec 2011 17:59:16 +0000
Subject: Disallow various debug.kdb sysctl's when securelevel is raised.

PR:	161350
---
 sys/kern/kern_shutdown.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'sys/kern/kern_shutdown.c')

diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c
index 90a74b8b1e0d..2ef4e13bf05d 100644
--- a/sys/kern/kern_shutdown.c
+++ b/sys/kern/kern_shutdown.c
@@ -102,8 +102,9 @@ int debugger_on_panic = 0;
 #else
 int debugger_on_panic = 1;
 #endif
-SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
-	&debugger_on_panic, 0, "Run debugger on kernel panic");
+SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic,
+    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN, &debugger_on_panic, 0,
+    "Run debugger on kernel panic");
 TUNABLE_INT("debug.debugger_on_panic", &debugger_on_panic);
 
 #ifdef KDB_TRACE
@@ -111,8 +112,9 @@ static int trace_on_panic = 1;
 #else
 static int trace_on_panic = 0;
 #endif
-SYSCTL_INT(_debug, OID_AUTO, trace_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
-	&trace_on_panic, 0, "Print stack trace on kernel panic");
+SYSCTL_INT(_debug, OID_AUTO, trace_on_panic,
+    CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN, &trace_on_panic, 0,
+    "Print stack trace on kernel panic");
 TUNABLE_INT("debug.trace_on_panic", &trace_on_panic);
 #endif /* KDB */
 
-- 
cgit v1.2.3