Date: Mon, 7 Nov 2005 15:31:31 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 86421 for review Message-ID: <200511071531.jA7FVVfL097015@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=86421 Change 86421 by millert@millert_ibook on 2005/11/07 15:30:32 Enable audit rate limiting on darwin Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 (text+ko) ==== @@ -75,6 +75,7 @@ #ifdef __APPLE__ static mutex_t *avc_lock; static mutex_t *avc_log_lock; +uint64_t avc_msg_cost, avc_msg_burst; #else static struct mtx avc_lock; static struct mtx avc_log_lock; @@ -229,6 +230,8 @@ #ifdef __APPLE__ avc_lock = mutex_alloc(ETAP_NO_TRACE); avc_log_lock = mutex_alloc(ETAP_NO_TRACE); + nanoseconds_to_absolutetime(5000000000ULL, &avc_msg_cost); + avc_msg_burst = 10 * avc_msg_cost; #else mtx_init(&avc_lock, "SEBSD AVC", NULL, MTX_DEF); mtx_init(&avc_log_lock, "SEBSD message lock", NULL, MTX_DEF); @@ -469,13 +472,17 @@ printk(" %s=%d", name2, ntohs(port)); } -#if 0 +#ifdef __APPLE__ +#define AVC_MSG_COST avc_msg_cost +#define AVC_MSG_BURST avc_msg_burst +#else /* * Copied from net/core/utils.c:net_ratelimit and modified for * use by the AVC audit facility. */ #define AVC_MSG_COST 5*HZ #define AVC_MSG_BURST 10*5*HZ +#endif /* * This enforces a rate limit: not more than one kernel message @@ -483,12 +490,26 @@ */ static int avc_ratelimit(void) { +#ifdef __APPLE__ + static mutex_t *ratelimit_lock; + static uint64_t toks; + static uint64_t last_msg; + static int missed, rc = 0; + uint64_t now; + + now = mach_absolute_time(); + if (ratelimit_lock == NULL) { + ratelimit_lock = mutex_alloc(ETAP_NO_TRACE); + toks = avc_msg_burst; + } +#else static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED; - static unsigned long toks = 10*5*HZ; + static unsigned long toks = AVC_MSG_BURST; static unsigned long last_msg; static int missed, rc = 0; unsigned long flags; unsigned long now = jiffies; +#endif spin_lock_irqsave(&ratelimit_lock, flags); toks += now - last_msg; @@ -522,15 +543,6 @@ } } -#else - -static inline int check_avc_ratelimit(void) -{ - return 1; -} - -#endif - /** * avc_audit - Audit the granting or denial of permissions. * @ssid: source security identifier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511071531.jA7FVVfL097015>