From a3c81f769c56881fdd18ac653ae8bb6fa90157ea Mon Sep 17 00:00:00 2001
From: elad <elad@NetBSD.org>
Date: Thu, 16 Jun 2005 15:45:48 +0000
Subject: [PATCH] Since NetBSD operates in securelevel -1 by default, don't
 rely on the securelevel alone when checking if the veriexec tables can be
 modified; also check if the strict level is above 0.

---
 sys/dev/verified_exec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sys/dev/verified_exec.c b/sys/dev/verified_exec.c
index e89265df6da3..b0269de25bb5 100644
--- a/sys/dev/verified_exec.c
+++ b/sys/dev/verified_exec.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: verified_exec.c,v 1.13 2005/06/16 15:41:36 elad Exp $	*/
+/*	$NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $	*/
 
 /*-
  * Copyright 2005 Elad Efrat <elad@bsd.org.il>
@@ -31,9 +31,9 @@
 
 #include <sys/cdefs.h>
 #if defined(__NetBSD__)
-__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.13 2005/06/16 15:41:36 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $");
 #else
-__RCSID("$Id: verified_exec.c,v 1.13 2005/06/16 15:41:36 elad Exp $\n$NetBSD: verified_exec.c,v 1.13 2005/06/16 15:41:36 elad Exp $");
+__RCSID("$Id: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $\n$NetBSD: verified_exec.c,v 1.14 2005/06/16 15:45:48 elad Exp $");
 #endif
 
 #include <sys/param.h>
@@ -161,9 +161,9 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
 	/*
 	 * Don't allow updates in multi-user mode.
 	 */
-	if (securelevel >= 1) {
-		printf("Veriexec: veriexecioctl: Securelevel raised, loading"
-		       "fingerprints is not permitted\n");
+	if ((securelevel > 0) || (veriexec_strict > 0)) {
+		printf("Veriexec: veriexecioctl: Securelevel or strict "
+		       "mode, modifying veriexec tables is not permitted.\n"); 
 
 		return (EPERM);
 	}