Re: pfctl -T show not permitted when kern.securelevel=2

Mon, 27 Feb 2017 21:46:55 -0800 

> On Sat, Feb 25, 2017 at 11:34:19PM -0500, Peter Colberg wrote:
> > >Synopsis:      pfctl -T show not permitted when kern.securelevel=2
> > >Category:      kernel
> > >Environment:
> >         System      : OpenBSD 6.0
> >         Details     : OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 
> > MDT 2016
> >                          
> > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > 
> >         Architecture: OpenBSD.amd64
> >         Machine     : amd64
> > >Description:
> >         When attempting to list the contents of a pf table and the
> >         kernel is set to securelevel 2, pfctl -T show fails with
> >         `Operation not permitted'. pfctl -vT show works as expected.
> > >How-To-Repeat:
> >         # sysctl kern.securelevel                                           
> >                                                                             
> >                                                                             
> >             
> >         kern.securelevel=1
> > 
> >         # pfctl -t test -T add 198.51.100.81
> >         1 table created.
> >         1/1 addresses added.
> > 
> >         # pfctl -t test -T show
> >            198.51.100.81
> > 
> >         # pfctl -t test -vT show
> >            198.51.100.81
> >                 Cleared:     Sat Feb 25 22:57:50 2017
> > 
> >         # sysctl kern.securelevel=2          
> >         kern.securelevel: 1 -> 2
> > 
> >         # pfctl -t test -T show
> >         pfctl: Operation not permitted.
> > 
> >         # pfctl -t test -vT show
> >            198.51.100.81
> >                 Cleared:     Sat Feb 25 22:57:50 2017
> 
> In addition to DIOCRGETASTATS, permit DIOCRGETADDRS if securelevel > 1.
> 
> Index: sys/net/pf_ioctl.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_ioctl.c,v
> retrieving revision 1.307
> diff -u -p -r1.307 pf_ioctl.c
> --- sys/net/pf_ioctl.c        30 Jan 2017 17:41:34 -0000      1.307
> +++ sys/net/pf_ioctl.c        28 Feb 2017 05:21:15 -0000
> @@ -917,6 +917,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
>               case DIOCRADDADDRS:
>               case DIOCRDELADDRS:
>               case DIOCRSETADDRS:
> +             case DIOCRGETADDRS:
>               case DIOCRGETASTATS:
>               case DIOCRCLRASTATS:
>               case DIOCRTSTADDRS:
> 


It was nearly 20 years ago that there were believers in securelevel 2.
I was never one of them.

However, the whole point was that securelevel 2 doesn't let you do a
whole ton of things.  That switch table was essentially complete two
decades ago, and we don't know who is relying upon the behaviour now.

I suggest you adapt.

Reply via email to