Pull up following revision(s) (requested by riastradh in ticket #1053):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.36 Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2). securelevel=1 is supposed to be a reasonable default for normal computers. This got in the way of ever getting entropy from a seed on a machine with no HWRNG -- e.g., from another machine, or by making the executive decision that what has been sampled is good enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
This commit is contained in:
parent
e2b5a64e83
commit
7d08a0843a
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $ */
|
||||
/* $NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
|
@ -35,7 +35,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_insecure.h"
|
||||
|
@ -596,7 +596,7 @@ secmodel_securelevel_device_cb(kauth_cred_t cred, kauth_action_t action,
|
|||
break;
|
||||
|
||||
case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
|
||||
if (securelevel > 0)
|
||||
if (securelevel > 1)
|
||||
result = KAUTH_RESULT_DENY;
|
||||
break;
|
||||
|
||||
|
|
Loading…
Reference in New Issue