diff options
| author | Hugh Graham <hugh@cvs.openbsd.org> | 2001-06-28 10:04:20 +0000 |
|---|---|---|
| committer | Hugh Graham <hugh@cvs.openbsd.org> | 2001-06-28 10:04:20 +0000 |
| commit | 78e870a58e793558d3ced911a66776ab8e38ed5d (patch) | |
| tree | 6ba0a01f433358342431c3ee29bd09fdd5b4beee | |
| parent | 2fd17782699a82d1e1f6c581dcd57f29c20b7af9 (diff) | |
Disallow filter modification when the system is "highly secure".
Passed by dhartmei.
| -rw-r--r-- | sys/net/pf.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index d623a33e4d7..a8c16aa6f40 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.81 2001/06/27 22:41:25 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.82 2001/06/28 10:04:19 hugh Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -581,6 +581,23 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) if (!(flags & FWRITE)) return (EACCES); + if (securelevel > 1) + switch (cmd) { + case DIOCSTART: + case DIOCSTOP: + case DIOCBEGINRULES: + case DIOCADDRULE: + case DIOCCOMMITRULES: + case DIOCBEGINNATS: + case DIOCADDNAT: + case DIOCCOMMITNATS: + case DIOCBEGINRDRS: + case DIOCADDRDR: + case DIOCCOMMITRDRS: + case DIOCCLRSTATES: + return EPERM; + } + switch (cmd) { case DIOCSTART: |