On Thu, Sep 27, 2018 at 03:35:30PM +0200, Zbyszek Żółkiewski wrote:
> sorry, forgot mention: 6.3 -stable
Same on -CURRENT and probably older releases as well.
> to reproduce:
> - at securelevel=1
> - load pf.conf - file whitelist is populated with IP addresses
> - try to list table: pfctl -t whitelist -T show
> - will all work as expected
> - set securelevel=2 (sysctl kern.securelevel=2)
> - repeat command: pfctl -t whitelist -T show
> - this result in "Operation not permitted”
> - now try: pfctl -t whitelist -v -T show
> - this will result with printed table contents as well as some stats
`-v' uses a different ioctl, see sbin/pfctl/pfctl_table.c:306.
# ktrace pfctl -t whitelist -T show
# kdump | grep ioctl
61090 pfctl CALL ioctl(3,DIOCRGETADDRS,0x7f7ffffeb8b0)
61090 pfctl RET ioctl -1 errno 1 Operation not permitted
# ktrace pfctl -t whitelist -T show -v
# kdump |grep ioctl
99126 pfctl CALL ioctl(3,DIOCRGETASTATS,0x7f7ffffd5aa0)
99126 pfctl RET ioctl 0
The securelevel check for PF ioctls simply doesn't account for the first
one.
Grepping for DIOCRGETADDRS consumers in base only shows pfctl and I
currently don't have any concerns in allowing this ioctl when
securelevel is >1, but review/confirmation is welcome here.
Feedback? OK?
Index: net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.337
diff -u -p -r1.337 pf_ioctl.c
--- net/pf_ioctl.c 11 Sep 2018 07:53:38 -0000 1.337
+++ net/pf_ioctl.c 27 Sep 2018 18:29:25 -0000
@@ -951,6 +951,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
case DIOCRADDADDRS:
case DIOCRDELADDRS:
case DIOCRSETADDRS:
+ case DIOCRGETADDRS:
case DIOCRGETASTATS:
case DIOCRCLRASTATS:
case DIOCRTSTADDRS:
