From andrei@kableu.com  Fri Jan 21 07:07:21 2005
Return-Path: <andrei@kableu.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 910A116A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 07:07:21 +0000 (GMT)
Received: from pop-a065c28.pas.sa.earthlink.net (pop-a065c28.pas.sa.earthlink.net [207.217.121.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5725543D41
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 07:07:21 +0000 (GMT)
	(envelope-from andrei@kableu.com)
Received: from h-69-3-26-80.snvacaid.dynamic.covad.net ([69.3.26.80] helo=mail.kableu.com)
	by pop-a065c28.pas.sa.earthlink.net with esmtp (Exim 3.33 #1)
	id 1Crst7-0002cM-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 20 Jan 2005 23:07:21 -0800
Received: from warrior.kableu.com (warrior.kableu.com [192.168.0.1])
	by mail.kableu.com (Postfix) with ESMTP id 8F7BBC0DB
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 20 Jan 2005 23:07:20 -0800 (PST)
Received: by warrior.kableu.com (Postfix, from userid 1001)
	id 635A311445; Thu, 20 Jan 2005 23:07:20 -0800 (PST)
Message-Id: <20050121070720.635A311445@warrior.kableu.com>
Date: Thu, 20 Jan 2005 23:07:20 -0800 (PST)
From: Andrew Konstantinov <andrei@kableu.com>
Reply-To: Andrew Konstantinov <andrei@kableu.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] cannot manipulate pf in securelevel 2
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76526
>Category:       kern
>Synopsis:       [patch] cannot manipulate pf in securelevel 2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dhartmei
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 07:10:24 GMT 2005
>Closed-Date:    Fri Jan 21 19:09:19 GMT 2005
>Last-Modified:  Fri Jan 21 19:09:19 GMT 2005
>Originator:     Andrew Konstantinov
>Release:        FreeBSD 5.3-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD warrior.kableu.com 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #0: Sun Jan 16 21:42:35 PST 2005 andrei@warrior.kableu.com:/usr/obj/usr/src/sys/CUSTOM i386

>Description:
	As it is described by the manual page for securelevel feature, if the machine is running at securelevel 3, it enforced an additional protection mechanism against altering the pf/ipf/ipfw settings. According to documentation, if the machine is running at secure level lower than 3, that should not happen. In reality this isn't true, since this feature is enforced if the system is running at the securelevel 2 and higher.

>How-To-Repeat:
	Build FreeBSD 5.3-RELEASE-p5 system with pf. Set the securelevel to 2 and try to alter the pf rules (for example do pfctl -F all). The system will complain with a message saying that permission has been denied.
>Fix:
	The following patch should fix the problem.

--- fix.patch begins here ---
--- sys/contrib/pf/net/pf_ioctl.c.orig	Thu Jan 20 22:40:35 2005
+++ sys/contrib/pf/net/pf_ioctl.c	Thu Jan 20 22:41:24 2005
@@ -1058,9 +1058,9 @@
 
 	/* XXX keep in sync with switch() below */
 #ifdef __FreeBSD__
-	if (securelevel_gt(td->td_ucred, 1))
+	if (securelevel_gt(td->td_ucred, 2))
 #else
-	if (securelevel > 1)
+	if (securelevel > 2)
 #endif
 		switch (cmd) {
 		case DIOCGETRULES:
--- fix.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Andrew Konstantinov <andrei@kableu.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/76526: [patch] cannot manipulate pf in securelevel 2
Date: Fri, 21 Jan 2005 11:22:12 +0300 (MSK)

 Does the recent commit to HEAD (rev. 1.17 of pf_ioctl.c) solve your
 problem?
 
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_ioctl.c
 
 -- 
 Maxim Konovalov

From: Andrew Konstantinov <andrei@kableu.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: kern/76526: [patch] cannot manipulate pf in securelevel 2
Date: Fri, 21 Jan 2005 00:44:35 -0800

 --TB36FDmn/VVEgNH/
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, Jan 21, 2005 at 11:22:12AM +0300, Maxim Konovalov wrote:
 > Does the recent commit to HEAD (rev. 1.17 of pf_ioctl.c) solve your
 > problem?
 >=20
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_ioctl.c
 
 It should. When will it or has it already been MFC'ed?
 
 Thanks,
 Andrew
 
 --TB36FDmn/VVEgNH/
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFB8MDzg+6MtxSjexcRAvPZAJ9EYXK3+c/eG8zADAzk3D1dO0Mt3wCfRyEh
 GzwJxM7wcW39UXzS/DpBsOA=
 =4jd5
 -----END PGP SIGNATURE-----
 
 --TB36FDmn/VVEgNH/--
Responsible-Changed-From-To: freebsd-bugs->dhartmei 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Fri Jan 21 09:08:48 GMT 2005 
Responsible-Changed-Why:  
Over to the author of rev. 1.17 pf/net/pf_ioctl.c. 

Daniel, could you please decide it is OK to MFC that to 
RELENG_5 or not. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76526 
State-Changed-From-To: open->closed 
State-Changed-By: dhartmei 
State-Changed-When: Fri Jan 21 19:08:16 GMT 2005 
State-Changed-Why:  
MFC'd to RELENG_5, thanks for the notice. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76526 
>Unformatted:
