Date: Thu, 20 Jan 2005 22:47:15 -0800 From: Andrew Konstantinov <andrei@kableu.com> To: freebsd-stable@freebsd.org Subject: Re: secure level 2 unable to modify pf rules Message-ID: <20050121064715.GA82604@warrior.kableu.com> In-Reply-To: <20050121033201.GA81807@warrior.kableu.com> References: <20050121033201.GA81807@warrior.kableu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 20, 2005 at 07:32:01PM -0800, Andrew Konstantinov wrote: > Hello, >=20 > The manual page for securelevel says that secure level 3 provides the same > functionality as secure level 2 plus the protection of pf/ipf/ipfw against > modification. Since pf/ipf/ipfw protection is an addition, I assume that = it > should not be present with secure level 2. For some reason that's not the > reality. >=20 > gater# id > uid=3D0(root) gid=3D0(wheel) groups=3D0(wheel), 5(operator) > gater# uname -rs > FreeBSD 5.3-RELEASE-p5 > gater# sysctl kern.securelevel > kern.securelevel: 2 > gater# pfctl -F all > pfctl: pfctl_clear_rules: Operation not permitted > gater# >=20 > Is there a bug in the documentation or in the implementation of secure le= vel? > Or perhaps, did I misinterpret something? Replying to myself. This should fix the bug if it's really a bug and not a feature. --- sys/contrib/pf/net/pf_ioctl.c.orig Thu Jan 20 22:40:35 2005 +++ sys/contrib/pf/net/pf_ioctl.c Thu Jan 20 22:41:24 2005 @@ -1058,9 +1058,9 @@ /* XXX keep in sync with switch() below */ #ifdef __FreeBSD__ - if (securelevel_gt(td->td_ucred, 1)) + if (securelevel_gt(td->td_ucred, 2)) #else - if (securelevel > 1) + if (securelevel > 2) #endif switch (cmd) { case DIOCGETRULES: --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB8KVzg+6MtxSjexcRAtBxAJoD60x1kh0bMGXuz8kaUMIyt4r41ACcCmwS hKTnKuTvsk/vZ4Ty6RouiT4= =78rh -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121064715.GA82604>