From owner-freebsd-bugs@FreeBSD.ORG Fri Jan 21 07:10:25 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3DFD16A4CE for ; Fri, 21 Jan 2005 07:10:24 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A920943D1F for ; Fri, 21 Jan 2005 07:10:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0L7AOW0070451 for ; Fri, 21 Jan 2005 07:10:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0L7AOgt070450; Fri, 21 Jan 2005 07:10:24 GMT (envelope-from gnats) Resent-Date: Fri, 21 Jan 2005 07:10:24 GMT Resent-Message-Id: <200501210710.j0L7AOgt070450@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrew Konstantinov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 910A116A4CE for ; Fri, 21 Jan 2005 07:07:21 +0000 (GMT) Received: from pop-a065c28.pas.sa.earthlink.net (pop-a065c28.pas.sa.earthlink.net [207.217.121.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5725543D41 for ; Fri, 21 Jan 2005 07:07:21 +0000 (GMT) (envelope-from andrei@kableu.com) Received: from h-69-3-26-80.snvacaid.dynamic.covad.net ([69.3.26.80] helo=mail.kableu.com) by pop-a065c28.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1Crst7-0002cM-00 for FreeBSD-gnats-submit@freebsd.org; Thu, 20 Jan 2005 23:07:21 -0800 Received: from warrior.kableu.com (warrior.kableu.com [192.168.0.1]) by mail.kableu.com (Postfix) with ESMTP id 8F7BBC0DB for ; Thu, 20 Jan 2005 23:07:20 -0800 (PST) Received: by warrior.kableu.com (Postfix, from userid 1001) id 635A311445; Thu, 20 Jan 2005 23:07:20 -0800 (PST) Message-Id: <20050121070720.635A311445@warrior.kableu.com> Date: Thu, 20 Jan 2005 23:07:20 -0800 (PST) From: Andrew Konstantinov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/76526: [patch] cannot manipulate pf in securelevel 2 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Konstantinov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 07:10:25 -0000 >Number: 76526 >Category: kern >Synopsis: [patch] cannot manipulate pf in securelevel 2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 21 07:10:24 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Andrew Konstantinov >Release: FreeBSD 5.3-RELEASE-p5 i386 >Organization: >Environment: System: FreeBSD warrior.kableu.com 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #0: Sun Jan 16 21:42:35 PST 2005 andrei@warrior.kableu.com:/usr/obj/usr/src/sys/CUSTOM i386 >Description: As it is described by the manual page for securelevel feature, if the machine is running at securelevel 3, it enforced an additional protection mechanism against altering the pf/ipf/ipfw settings. According to documentation, if the machine is running at secure level lower than 3, that should not happen. In reality this isn't true, since this feature is enforced if the system is running at the securelevel 2 and higher. >How-To-Repeat: Build FreeBSD 5.3-RELEASE-p5 system with pf. Set the securelevel to 2 and try to alter the pf rules (for example do pfctl -F all). The system will complain with a message saying that permission has been denied. >Fix: The following patch should fix the problem. --- fix.patch begins here --- --- sys/contrib/pf/net/pf_ioctl.c.orig Thu Jan 20 22:40:35 2005 +++ sys/contrib/pf/net/pf_ioctl.c Thu Jan 20 22:41:24 2005 @@ -1058,9 +1058,9 @@ /* XXX keep in sync with switch() below */ #ifdef __FreeBSD__ - if (securelevel_gt(td->td_ucred, 1)) + if (securelevel_gt(td->td_ucred, 2)) #else - if (securelevel > 1) + if (securelevel > 2) #endif switch (cmd) { case DIOCGETRULES: --- fix.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: