From owner-p4-projects@FreeBSD.ORG  Mon Nov  7 15:31:32 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 387A616A422; Mon,  7 Nov 2005 15:31:32 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0F0CF16A41F
	for <perforce@freebsd.org>; Mon,  7 Nov 2005 15:31:32 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B7B4D43D45
	for <perforce@freebsd.org>; Mon,  7 Nov 2005 15:31:31 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id jA7FVV0P097018
	for <perforce@freebsd.org>; Mon, 7 Nov 2005 15:31:31 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id jA7FVVfL097015
	for perforce@freebsd.org; Mon, 7 Nov 2005 15:31:31 GMT
	(envelope-from millert@freebsd.org)
Date: Mon, 7 Nov 2005 15:31:31 GMT
Message-Id: <200511071531.jA7FVVfL097015@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 86421 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2005 15:31:33 -0000

http://perforce.freebsd.org/chv.cgi?CH=86421

Change 86421 by millert@millert_ibook on 2005/11/07 15:30:32

	Enable audit rate limiting on darwin

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 (text+ko) ====

@@ -75,6 +75,7 @@
 #ifdef __APPLE__
 static mutex_t *avc_lock;
 static mutex_t *avc_log_lock;
+uint64_t avc_msg_cost, avc_msg_burst;
 #else
 static struct mtx avc_lock;
 static struct mtx avc_log_lock;
@@ -229,6 +230,8 @@
 #ifdef __APPLE__
 	avc_lock = mutex_alloc(ETAP_NO_TRACE);
 	avc_log_lock = mutex_alloc(ETAP_NO_TRACE);
+	nanoseconds_to_absolutetime(5000000000ULL, &avc_msg_cost);
+	avc_msg_burst = 10 * avc_msg_cost;
 #else
 	mtx_init(&avc_lock, "SEBSD AVC", NULL, MTX_DEF);
 	mtx_init(&avc_log_lock, "SEBSD message lock", NULL, MTX_DEF);
@@ -469,13 +472,17 @@
 		printk(" %s=%d", name2, ntohs(port));
 }
 
-#if 0
+#ifdef __APPLE__
+#define AVC_MSG_COST	avc_msg_cost
+#define AVC_MSG_BURST	avc_msg_burst
+#else
 /*
  * Copied from net/core/utils.c:net_ratelimit and modified for
  * use by the AVC audit facility.
  */
 #define AVC_MSG_COST	5*HZ
 #define AVC_MSG_BURST	10*5*HZ
+#endif
 
 /*
  * This enforces a rate limit: not more than one kernel message
@@ -483,12 +490,26 @@
  */
 static int avc_ratelimit(void)
 {
+#ifdef __APPLE__
+	static mutex_t *ratelimit_lock;
+	static uint64_t toks;
+	static uint64_t last_msg;
+	static int missed, rc = 0;
+	uint64_t now;
+
+	now = mach_absolute_time();
+	if (ratelimit_lock == NULL) {
+		ratelimit_lock = mutex_alloc(ETAP_NO_TRACE);
+		toks = avc_msg_burst;
+	}
+#else
 	static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED;
-	static unsigned long toks = 10*5*HZ;
+	static unsigned long toks = AVC_MSG_BURST;
 	static unsigned long last_msg;
 	static int missed, rc = 0;
 	unsigned long flags;
 	unsigned long now = jiffies;
+#endif
 
 	spin_lock_irqsave(&ratelimit_lock, flags);
 	toks += now - last_msg;
@@ -522,15 +543,6 @@
 	}
 }
 
-#else
-
-static inline int check_avc_ratelimit(void)
-{
-	return 1;
-}
-
-#endif
-
 /**
  * avc_audit - Audit the granting or denial of permissions.
  * @ssid: source security identifier