From ecc14aae122671c892294055e4397e36382b6916 Mon Sep 17 00:00:00 2001
From: Poul-Henning Kamp <phk@FreeBSD.org>
Date: Thu, 4 Nov 2004 09:17:55 +0000
Subject: [PATCH] Add back securelevel check for disks.

XXX: This should live in geom_dev.c but we don't have access to the
cred there.
XXX: XXX:  This may not matter anymore since filesystems use geom_vfs.
---
 sys/fs/devfs/devfs_vnops.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 5e1252832f9a..5f9f16285153 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -710,6 +710,18 @@ devfs_open(ap)
 	if (dev->si_iosize_max == 0)
 		dev->si_iosize_max = DFLTPHYS;
 
+	if (vn_isdisk(vp, NULL) &&
+	    ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
+		/*
+		* When running in very secure mode, do not allow
+		* opens for writing of any disks.
+		* XXX: should be in geom_dev.c, but we lack the cred there.
+		*/
+		error = securelevel_ge(td->td_ucred, 2);
+		if (error)
+			return (error);
+	}
+
 	dsw = dev_refthread(dev);
 	if (dsw == NULL)
 		return (ENXIO);