From 7d08a0843a203456a4256b784fed80e00de9a6c3 Mon Sep 17 00:00:00 2001
From: martin <martin@NetBSD.org>
Date: Mon, 17 Aug 2020 11:27:33 +0000
Subject: [PATCH] Pull up following revision(s) (requested by riastradh in
 ticket #1053):

	sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.36

Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2).
securelevel=1 is supposed to be a reasonable default for normal
computers.  This got in the way of ever getting entropy from a seed
on a machine with no HWRNG -- e.g., from another machine, or by
making the executive decision that what has been sampled is good
enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
---
 sys/secmodel/securelevel/secmodel_securelevel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/secmodel/securelevel/secmodel_securelevel.c b/sys/secmodel/securelevel/secmodel_securelevel.c
index 9b91bfc48645..44c9f38d2128 100644
--- a/sys/secmodel/securelevel/secmodel_securelevel.c
+++ b/sys/secmodel/securelevel/secmodel_securelevel.c
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@@ -596,7 +596,7 @@ secmodel_securelevel_device_cb(kauth_cred_t cred, kauth_action_t action,
 		break;
 
 	case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
-		if (securelevel > 0)
+		if (securelevel > 1)
 			result = KAUTH_RESULT_DENY;
 		break;