Quantcast

pfctl -T show not permitted when kern.securelevel=2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

pfctl -T show not permitted when kern.securelevel=2

Peter Colberg
>Synopsis:      pfctl -T show not permitted when kern.securelevel=2
>Category:      kernel
>Environment:
        System      : OpenBSD 6.0
        Details     : OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        When attempting to list the contents of a pf table and the
        kernel is set to securelevel 2, pfctl -T show fails with
        `Operation not permitted'. pfctl -vT show works as expected.
>How-To-Repeat:
        # sysctl kern.securelevel                                                                                                                                                                                                              
        kern.securelevel=1

        # pfctl -t test -T add 198.51.100.81
        1 table created.
        1/1 addresses added.

        # pfctl -t test -T show
           198.51.100.81

        # pfctl -t test -vT show
           198.51.100.81
                Cleared:     Sat Feb 25 22:57:50 2017

        # sysctl kern.securelevel=2          
        kern.securelevel: 1 -> 2

        # pfctl -t test -T show
        pfctl: Operation not permitted.

        # pfctl -t test -vT show
           198.51.100.81
                Cleared:     Sat Feb 25 22:57:50 2017

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pfctl -T show not permitted when kern.securelevel=2

Peter Colberg
On Sat, Feb 25, 2017 at 11:34:19PM -0500, Peter Colberg wrote:

> >Synopsis:      pfctl -T show not permitted when kern.securelevel=2
> >Category:      kernel
> >Environment:
>         System      : OpenBSD 6.0
>         Details     : OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
>                          [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
>         Architecture: OpenBSD.amd64
>         Machine     : amd64
> >Description:
>         When attempting to list the contents of a pf table and the
>         kernel is set to securelevel 2, pfctl -T show fails with
>         `Operation not permitted'. pfctl -vT show works as expected.
> >How-To-Repeat:
>         # sysctl kern.securelevel                                                                                                                                                                                                              
>         kern.securelevel=1
>
>         # pfctl -t test -T add 198.51.100.81
>         1 table created.
>         1/1 addresses added.
>
>         # pfctl -t test -T show
>            198.51.100.81
>
>         # pfctl -t test -vT show
>            198.51.100.81
>                 Cleared:     Sat Feb 25 22:57:50 2017
>
>         # sysctl kern.securelevel=2          
>         kern.securelevel: 1 -> 2
>
>         # pfctl -t test -T show
>         pfctl: Operation not permitted.
>
>         # pfctl -t test -vT show
>            198.51.100.81
>                 Cleared:     Sat Feb 25 22:57:50 2017

In addition to DIOCRGETASTATS, permit DIOCRGETADDRS if securelevel > 1.

Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.307
diff -u -p -r1.307 pf_ioctl.c
--- sys/net/pf_ioctl.c 30 Jan 2017 17:41:34 -0000 1.307
+++ sys/net/pf_ioctl.c 28 Feb 2017 05:21:15 -0000
@@ -917,6 +917,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
  case DIOCRADDADDRS:
  case DIOCRDELADDRS:
  case DIOCRSETADDRS:
+ case DIOCRGETADDRS:
  case DIOCRGETASTATS:
  case DIOCRCLRASTATS:
  case DIOCRTSTADDRS:

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pfctl -T show not permitted when kern.securelevel=2

Theo de Raadt-2
> On Sat, Feb 25, 2017 at 11:34:19PM -0500, Peter Colberg wrote:
> > >Synopsis:      pfctl -T show not permitted when kern.securelevel=2
> > >Category:      kernel
> > >Environment:
> >         System      : OpenBSD 6.0
> >         Details     : OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
> >                          [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> >         Architecture: OpenBSD.amd64
> >         Machine     : amd64
> > >Description:
> >         When attempting to list the contents of a pf table and the
> >         kernel is set to securelevel 2, pfctl -T show fails with
> >         `Operation not permitted'. pfctl -vT show works as expected.
> > >How-To-Repeat:
> >         # sysctl kern.securelevel                                                                                                                                                                                                              
> >         kern.securelevel=1
> >
> >         # pfctl -t test -T add 198.51.100.81
> >         1 table created.
> >         1/1 addresses added.
> >
> >         # pfctl -t test -T show
> >            198.51.100.81
> >
> >         # pfctl -t test -vT show
> >            198.51.100.81
> >                 Cleared:     Sat Feb 25 22:57:50 2017
> >
> >         # sysctl kern.securelevel=2          
> >         kern.securelevel: 1 -> 2
> >
> >         # pfctl -t test -T show
> >         pfctl: Operation not permitted.
> >
> >         # pfctl -t test -vT show
> >            198.51.100.81
> >                 Cleared:     Sat Feb 25 22:57:50 2017
>
> In addition to DIOCRGETASTATS, permit DIOCRGETADDRS if securelevel > 1.
>
> Index: sys/net/pf_ioctl.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_ioctl.c,v
> retrieving revision 1.307
> diff -u -p -r1.307 pf_ioctl.c
> --- sys/net/pf_ioctl.c 30 Jan 2017 17:41:34 -0000 1.307
> +++ sys/net/pf_ioctl.c 28 Feb 2017 05:21:15 -0000
> @@ -917,6 +917,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
>   case DIOCRADDADDRS:
>   case DIOCRDELADDRS:
>   case DIOCRSETADDRS:
> + case DIOCRGETADDRS:
>   case DIOCRGETASTATS:
>   case DIOCRCLRASTATS:
>   case DIOCRTSTADDRS:
>


It was nearly 20 years ago that there were believers in securelevel 2.
I was never one of them.

However, the whole point was that securelevel 2 doesn't let you do a
whole ton of things.  That switch table was essentially complete two
decades ago, and we don't know who is relying upon the behaviour now.

I suggest you adapt.


Loading...