Pull up following revision(s) (requested by riastradh in ticket #1053):

sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.36 Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2). securelevel=1 is supposed to be a reasonable default for normal computers. This got in the way of ever getting entropy from a seed on a machine with no HWRNG -- e.g., from another machine, or by making the executive decision that what has been sampled is good enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
2020-08-17 11:27:33 +00:00 · 2020-08-17 11:27:33 +00:00 · 7d08a0843a
parent e2b5a64e83
commit 7d08a0843a
1 changed files with 3 additions and 3 deletions
--- a/sys/secmodel/securelevel/secmodel_securelevel.c
+++ b/sys/secmodel/securelevel/secmodel_securelevel.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -35,7 +35,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@ -596,7 +596,7 @@ secmodel_securelevel_device_cb(kauth_cred_t cred, kauth_action_t action,
 		break;
 	case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
-		if (securelevel > 0)
+		if (securelevel > 1)
 			result = KAUTH_RESULT_DENY;
 		break;