diff --git a/sys/secmodel/bsd44/secmodel_bsd44_suser.c b/sys/secmodel/bsd44/secmodel_bsd44_suser.c
index b63f7e8afc30..9b6fd5ebc990 100644
--- a/sys/secmodel/bsd44/secmodel_bsd44_suser.c
+++ b/sys/secmodel/bsd44/secmodel_bsd44_suser.c
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $ */
+/* $NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1149,7 +1149,14 @@ secmodel_bsd44_suser_device_cb(kauth_cred_t cred, kauth_action_t action,
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
-
+	case KAUTH_DEVICE_GPIO_PINSET:
+		/*
+		 * root can access gpio pins, secmodel_securlevel can veto
+		 * this decision.
+		 */
+		if (isroot)
+			result = KAUTH_RESULT_ALLOW;
+		break;
 	default:
 		result = KAUTH_RESULT_DEFER;
 		break;
diff --git a/sys/secmodel/securelevel/secmodel_securelevel.c b/sys/secmodel/securelevel/secmodel_securelevel.c
index e9754d165975..9e34e498fcc8 100644
--- a/sys/secmodel/securelevel/secmodel_securelevel.c
+++ b/sys/secmodel/securelevel/secmodel_securelevel.c
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@@ -534,6 +534,11 @@ secmodel_securelevel_device_cb(kauth_cred_t cred,
 
 		break;
 
+	case KAUTH_DEVICE_GPIO_PINSET:
+		if (securelevel > 0)
+			result = KAUTH_RESULT_DENY;
+		break;
+
 	default:
 		break;
 	}
diff --git a/sys/sys/kauth.h b/sys/sys/kauth.h
index 9990ebf01494..872486afba7a 100644
--- a/sys/sys/kauth.h
+++ b/sys/sys/kauth.h
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.59 2009/05/08 11:09:43 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.60 2009/07/25 16:08:02 mbalmer Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@@ -258,6 +258,7 @@ enum {
 	KAUTH_DEVICE_RND_SETPRIV,
 	KAUTH_DEVICE_BLUETOOTH_BCSP,
 	KAUTH_DEVICE_BLUETOOTH_BTUART,
+	KAUTH_DEVICE_GPIO_PINSET
 };
 
 /*