kern/76526: [patch] cannot manipulate pf in securelevel 2

[Andrew Konstantinov]

>Number:         76526
>Category:       kern
>Synopsis:       [patch] cannot manipulate pf in securelevel 2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 07:10:24 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Konstantinov
>Release:        FreeBSD 5.3-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD warrior.kableu.com 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #0: Sun Jan 16 21:42:35 PST 2005 andrei at warrior.kableu.com:/usr/obj/usr/src/sys/CUSTOM i386

>Description:
	As it is described by the manual page for securelevel feature, if the machine is running at securelevel 3, it enforced an additional protection mechanism against altering the pf/ipf/ipfw settings. According to documentation, if the machine is running at secure level lower than 3, that should not happen. In reality this isn't true, since this feature is enforced if the system is running at the securelevel 2 and higher.

>How-To-Repeat:
	Build FreeBSD 5.3-RELEASE-p5 system with pf. Set the securelevel to 2 and try to alter the pf rules (for example do pfctl -F all). The system will complain with a message saying that permission has been denied.
>Fix:
	The following patch should fix the problem.

--- fix.patch begins here ---
--- sys/contrib/pf/net/pf_ioctl.c.orig	Thu Jan 20 22:40:35 2005
+++ sys/contrib/pf/net/pf_ioctl.c	Thu Jan 20 22:41:24 2005
@@ -1058,9 +1058,9 @@
 
 	/* XXX keep in sync with switch() below */
 #ifdef __FreeBSD__
-	if (securelevel_gt(td->td_ucred, 1))
+	if (securelevel_gt(td->td_ucred, 2))
 #else
-	if (securelevel > 1)
+	if (securelevel > 2)
 #endif
 		switch (cmd) {
 		case DIOCGETRULES:
--- fix.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: