On Sat, Feb 25, 2017 at 11:34:19PM -0500, Peter Colberg wrote:
> >Synopsis: pfctl -T show not permitted when kern.securelevel=2
> >Category: kernel
> >Environment:
> System : OpenBSD 6.0
> Details : OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT
> 2016
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> When attempting to list the contents of a pf table and the
> kernel is set to securelevel 2, pfctl -T show fails with
> `Operation not permitted'. pfctl -vT show works as expected.
> >How-To-Repeat:
> # sysctl kern.securelevel
>
>
>
> kern.securelevel=1
>
> # pfctl -t test -T add 198.51.100.81
> 1 table created.
> 1/1 addresses added.
>
> # pfctl -t test -T show
> 198.51.100.81
>
> # pfctl -t test -vT show
> 198.51.100.81
> Cleared: Sat Feb 25 22:57:50 2017
>
> # sysctl kern.securelevel=2
> kern.securelevel: 1 -> 2
>
> # pfctl -t test -T show
> pfctl: Operation not permitted.
>
> # pfctl -t test -vT show
> 198.51.100.81
> Cleared: Sat Feb 25 22:57:50 2017
In addition to DIOCRGETASTATS, permit DIOCRGETADDRS if securelevel > 1.
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.307
diff -u -p -r1.307 pf_ioctl.c
--- sys/net/pf_ioctl.c 30 Jan 2017 17:41:34 -0000 1.307
+++ sys/net/pf_ioctl.c 28 Feb 2017 05:21:15 -0000
@@ -917,6 +917,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
case DIOCRADDADDRS:
case DIOCRDELADDRS:
case DIOCRSETADDRS:
+ case DIOCRGETADDRS:
case DIOCRGETASTATS:
case DIOCRCLRASTATS:
case DIOCRTSTADDRS:
