Linux securelevel interface
The Linux securelevel interface (inspired by the BSD securelevel interface)
is a runtime mechanism for configuring coarse-grained kernel-level security
restrictions. It provides a runtime configuration variable at
/sys/kernel/security/securelevel which can be written to by root. The
following values are supported:
-1: Permanently insecure mode. This level is equivalent to level 0, but once
set cannot be changed.
0: Insecure mode (default). This level imposes no additional kernel
restrictions.
1: Secure mode. If set, userspace will be unable to perform direct access
to PCI devices, port IO access, access system memory directly via
/dev/mem and /dev/kmem, perform kexec_load(), use the userspace
software suspend mechanism, insert new ACPI code at runtime via the
custom_method interface or modify CPU MSRs (on x86). Certain drivers
may also limit additional interfaces.
Once the securelevel value is increased, it may not be decreased.
