# workarounding kern.securelevel



## xibo (Jul 25, 2013)

This is what I recorded in the jail (which has mount.devfs set):


```
# sysctl kern.securelevel
kern.securelevel: 3
# dd if=/dev/zero of=/dev/da0
dd: /dev/da0: Operation not permitted
# gpart destroy -F da0
da0 destroyed
#
```

From outside the jail, I can see da0 (a USB flash memory device for testing) was indeed destroyed. Is there a way to prevent gpart from writing to media (other than writing a devfs rule file for the jail)? And also, what kind of other (to gpart) ways are there to workaround kern.securelevel?


----------



## ta0kira (Jul 25, 2013)

Maybe the USB mass-storage driver doesn't check kern.securelevel, which I assume the drivers for "proper" drives do. Disks are character devices and you need to be able to open _some_ character devices even at a high kern.securelevel, so flash drives might have fallen through the cracks.

Kevin Barry


----------



## xibo (Jul 26, 2013)

Indeed, I need to open at least some pseudoterminals which are character devices. However, using gpart I can write on HDDs with mounted partitions on them (haven't tried deleting the partition table so far, but I can modify the "active" attribute).


----------



## Uniballer (Jul 26, 2013)

Please file an SPR.


----------

