On Thu, Jan 20, 2005 at 07:32:01PM -0800, Andrew Konstantinov wrote: > Hello, > > The manual page for securelevel says that secure level 3 provides the same > functionality as secure level 2 plus the protection of pf/ipf/ipfw against > modification. Since pf/ipf/ipfw protection is an addition, I assume that it > should not be present with secure level 2. For some reason that's not the > reality. > > gater# id > uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) > gater# uname -rs > FreeBSD 5.3-RELEASE-p5 > gater# sysctl kern.securelevel > kern.securelevel: 2 > gater# pfctl -F all > pfctl: pfctl_clear_rules: Operation not permitted > gater# > > Is there a bug in the documentation or in the implementation of secure level? > Or perhaps, did I misinterpret something?
Replying to myself. This should fix the bug if it's really a bug and not a
feature.
--- sys/contrib/pf/net/pf_ioctl.c.orig Thu Jan 20 22:40:35 2005
+++ sys/contrib/pf/net/pf_ioctl.c Thu Jan 20 22:41:24 2005
@@ -1058,9 +1058,9 @@
/* XXX keep in sync with switch() below */
#ifdef __FreeBSD__
- if (securelevel_gt(td->td_ucred, 1))
+ if (securelevel_gt(td->td_ucred, 2))
#else
- if (securelevel > 1)
+ if (securelevel > 2)
#endif
switch (cmd) {
case DIOCGETRULES:
pgpRduUW5OF0x.pgp
Description: PGP signature
