Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Jan 2005 22:47:15 -0800
From:      Andrew Konstantinov <andrei@kableu.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: secure level 2 unable to modify pf rules
Message-ID:  <20050121064715.GA82604@warrior.kableu.com>
In-Reply-To: <20050121033201.GA81807@warrior.kableu.com>
References:  <20050121033201.GA81807@warrior.kableu.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 20, 2005 at 07:32:01PM -0800, Andrew Konstantinov wrote:
> Hello,
>=20
> The manual page for securelevel says that secure level 3 provides the same
> functionality as secure level 2 plus the protection of pf/ipf/ipfw against
> modification. Since pf/ipf/ipfw protection is an addition, I assume that =
it
> should not be present with secure level 2. For some reason that's not the
> reality.
>=20
> gater# id
> uid=3D0(root) gid=3D0(wheel) groups=3D0(wheel), 5(operator)
> gater# uname -rs
> FreeBSD 5.3-RELEASE-p5
> gater# sysctl kern.securelevel
> kern.securelevel: 2
> gater# pfctl -F all
> pfctl: pfctl_clear_rules: Operation not permitted
> gater#
>=20
> Is there a bug in the documentation or in the implementation of secure le=
vel?
> Or perhaps, did I misinterpret something?

Replying to myself. This should fix the bug if it's really a bug and not a
feature.

--- sys/contrib/pf/net/pf_ioctl.c.orig  Thu Jan 20 22:40:35 2005
+++ sys/contrib/pf/net/pf_ioctl.c       Thu Jan 20 22:41:24 2005
@@ -1058,9 +1058,9 @@

        /* XXX keep in sync with switch() below */
 #ifdef __FreeBSD__
-       if (securelevel_gt(td->td_ucred, 1))
+       if (securelevel_gt(td->td_ucred, 2))
 #else
-       if (securelevel > 1)
+       if (securelevel > 2)
 #endif
		switch (cmd) {
		case DIOCGETRULES:

--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFB8KVzg+6MtxSjexcRAtBxAJoD60x1kh0bMGXuz8kaUMIyt4r41ACcCmwS
hKTnKuTvsk/vZ4Ty6RouiT4=
=78rh
-----END PGP SIGNATURE-----

--a8Wt8u1KmwUX3Y2C--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121064715.GA82604>