From owner-freebsd-current@FreeBSD.ORG  Thu May 29 08:56:27 2014
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 87BD8480
 for <freebsd-current@freebsd.org>; Thu, 29 May 2014 08:56:27 +0000 (UTC)
Received: from frv197.fwdcdn.com (frv197.fwdcdn.com [212.42.77.197])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3A2B22F96
 for <freebsd-current@freebsd.org>; Thu, 29 May 2014 08:56:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net;
 s=ffe; 
 h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:To:Subject:From:Date;
 bh=TTM2qq4KfBrZXXGhNAK5lBrAjuXhlIQT4hjh5GLOmIM=; 
 b=fsVVM+u3YFVbe3GnfG24aeWxdYlaCg6xkRIGCRCwnzFA3vap8qZo3de5DJxyVNo1YtIeg+Yvje7+GGrLTwudcIAndkNuZsHNOvW1gYmwADNRUtN/51BAoVhrj3CJEtTm4uoiFgnN7OOX6tY1yToNP7Rzpzf8mviMjwLHdxIbOEk=;
Received: from [10.10.10.45] (helo=frv45.fwdcdn.com)
 by frv197.fwdcdn.com with smtp ID 1Wpw8F-000Jay-Vw
 for freebsd-current@freebsd.org; Thu, 29 May 2014 11:56:15 +0300
Date: Thu, 29 May 2014 11:56:15 +0300
From: Vladimir Sharun <atz@ukr.net>
Subject: Re[2]: gpart destroy, zpool destroy, zfs destroy under securelevel 3
To: Current FreeBSD <freebsd-current@freebsd.org>
X-Mailer: mail.ukr.net 5.0
Message-Id: <1401353579.467560473.vpvuu1e5@frv45.fwdcdn.com>
In-Reply-To: <5386EBC6.2090306@yandex.ru>
References: <1401109957.895077023.n4pnr8ak@frv45.fwdcdn.com>
 <5386EBC6.2090306@yandex.ru>
MIME-Version: 1.0
Received: from atz@ukr.net by frv45.fwdcdn.com; Thu, 29 May 2014 11:56:15 +0300
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: binary
Content-Disposition: inline
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 08:56:27 -0000

Hello,

> if you have root privileges you can just write some random bytes in some
> places and this will be enough to break your system. So, restricting
> some gpart's or zpool's actions depending from securelevel looks like
> protection from kids.

Having root under securelevel 3 confirmed disallows you to:
1) Direct write to the block devices such as (a)da
2) Change rules and/or shutdown pf
3) Remove system flags such as schg, sunlnk

I think your statement true in case of securelevel -1, we're talking about
the highest one - 3, which shown in logs.