Date: Tue, 23 Jul 2013 21:20:28 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 231384 for review Message-ID: <201307232120.r6NLKSAd099408@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@231384?ac=10 Change 231384 by rwatson@rwatson_cinnamon on 2013/07/23 21:20:17 Classify various TESLA assertions and allow them to be conditionally compiled. Affected files ... .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA#4 edit .. //depot/projects/ctsrd/tesla/src/sys/conf/options#4 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#6 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#4 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#4 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/vfs_vnops.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#4 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#14 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#4 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#4 edit Differences ... ==== //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA#4 (text+ko) ==== @@ -2,3 +2,7 @@ ident TESLA options TESLA +options TESLA_CAPSICUM +options TESLA_MAC +options TESLA_PRIV +options TESLA_PROC ==== //depot/projects/ctsrd/tesla/src/sys/conf/options#4 (text+ko) ==== @@ -672,6 +672,10 @@ KTR_ENTRIES opt_global.h KTR_VERBOSE opt_ktr.h TESLA opt_global.h +TESLA_CAPSICUM opt_global.h +TESLA_MAC opt_global.h +TESLA_PRIV opt_global.h +TESLA_PROC opt_global.h WITNESS opt_global.h WITNESS_KDB opt_witness.h WITNESS_NO_VNODE opt_witness.h ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#3 (text+ko) ==== @@ -74,7 +74,9 @@ struct vnode *textvp; int error; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); +#endif freepath = NULL; PROC_LOCK(p); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#3 (text+ko) ==== @@ -313,7 +313,9 @@ int error; struct namemap *nm; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif if (uio == NULL || uio->uio_rw != UIO_WRITE) return (EOPNOTSUPP); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#3 (text+ko) ==== @@ -71,7 +71,9 @@ int ival; #endif +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif KASSERT(p != NULL, ("%s() called without a process", __func__)); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#3 (text+ko) ==== @@ -51,7 +51,9 @@ procfs_doprocnote(PFS_FILL_ARGS) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif sbuf_trim(sb); sbuf_finish(sb); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#3 (text+ko) ==== @@ -45,7 +45,9 @@ const char *pp; int ov, osrel, i; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif if (uio == NULL) return (EOPNOTSUPP); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#3 (text+ko) ==== @@ -67,7 +67,9 @@ struct plimit *limp; int i; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif /* * Obtain a private reference to resource limits ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#3 (text+ko) ==== @@ -74,7 +74,9 @@ int pid, ppid, pgid, sid; int i; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); +#endif pid = p->p_pid; PROC_LOCK(p); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#3 (text+ko) ==== @@ -48,7 +48,9 @@ { static const char *none = "Not Available"; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); +#endif if (p != NULL && p->p_sysent && p->p_sysent->sv_name) sbuf_printf(sb, "%s", p->p_sysent->sv_name); ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#3 (text+ko) ==== @@ -539,7 +539,10 @@ } } PROC_LOCK_ASSERT(p, MA_OWNED); + +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0); +#endif /* * Now that the appropriate locks are held and we have enough cpusets, @@ -717,7 +720,9 @@ if (error) goto out; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0); +#endif set = NULL; thread_lock(td); ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#3 (text+ko) ==== @@ -296,8 +296,10 @@ error = sysctl_handle_string(oidp, tmpname, len, req); if (req->newptr != NULL && error == 0) { +#ifdef TESLA_PRIV TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td, PRIV_SYSCTL_WRITEJAIL) == 0); +#endif /* * Copy the locally set hostname to all jails that share @@ -357,8 +359,10 @@ if (error || !req->newptr) return (error); +#ifdef TESLA_PRIV TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td, PRIV_SYSCTL_WRITEJAIL) == 0); +#endif /* Permit update only if the new securelevel exceeds the old. */ sx_slock(&allprison_lock); ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#6 (text+ko) ==== @@ -2148,14 +2148,20 @@ euid = euip->ui_uid; +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), euid) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), euid, ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif newcred->cr_uid = euid; uihold(euip); @@ -2173,14 +2179,20 @@ change_egid(struct ucred *newcred, gid_t egid) { +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), egid) == 0) || previously(mac_cred_check_setregid(ANY(ptr), ANY(int), egid) == 0) || previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), egid, ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif newcred->cr_groups[0] = egid; } @@ -2198,14 +2210,20 @@ { uid_t ruid = ruip->ui_uid; +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ruid, ANY(int)) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ruid, ANY(int), ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); newcred->cr_ruid = ruid; @@ -2225,14 +2243,20 @@ change_rgid(struct ucred *newcred, gid_t rgid) { +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) || previously(mac_cred_check_setregid(ANY(ptr), rgid, ANY(int)) == 0) || previously(mac_cred_check_setresgid(ANY(ptr), rgid, ANY(int), ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif newcred->cr_rgid = rgid; } @@ -2247,14 +2271,20 @@ change_svuid(struct ucred *newcred, uid_t svuid) { +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), ANY(int)) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), ANY(int), ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif newcred->cr_svuid = svuid; } @@ -2269,14 +2299,20 @@ change_svgid(struct ucred *newcred, gid_t svgid) { +#ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) || previously(mac_cred_check_setregid(ANY(ptr), ANY(int), ANY(int)) == 0) || previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), ANY(int), ANY(int)) == 0)); +#endif +#endif +#ifdef TESLA_PROC TESLA_SYSCALL(previously(called(setsugid)) || eventually(called(setsugid))); +#endif newcred->cr_svgid = svgid; } ==== //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#3 (text+ko) ==== @@ -137,7 +137,9 @@ int policy; int e; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0); +#endif e = getscheduler(ksched, td, &policy); @@ -155,7 +157,9 @@ { struct rtprio rtp; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); +#endif pri_to_rtp(td, &rtp); if (RTP_PRIO_IS_REALTIME(rtp.type)) @@ -187,7 +191,9 @@ int e = 0; struct rtprio rtp; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0); +#endif switch(policy) { @@ -232,7 +238,9 @@ ksched_getscheduler(struct ksched *ksched, struct thread *td, int *policy) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); +#endif return getscheduler(ksched, td, policy); } @@ -297,7 +305,9 @@ struct thread *td, struct timespec *timespec) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); +#endif *timespec = ksched->rr_interval; ==== //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#4 (text+ko) ==== @@ -141,7 +141,9 @@ proc_read_regs(struct thread *td, struct reg *regs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_regs(td, regs)); } @@ -150,7 +152,9 @@ proc_write_regs(struct thread *td, struct reg *regs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_regs(td, regs)); } @@ -159,7 +163,9 @@ proc_read_dbregs(struct thread *td, struct dbreg *dbregs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_dbregs(td, dbregs)); } @@ -168,7 +174,9 @@ proc_write_dbregs(struct thread *td, struct dbreg *dbregs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_dbregs(td, dbregs)); } @@ -181,7 +189,9 @@ proc_read_fpregs(struct thread *td, struct fpreg *fpregs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_fpregs(td, fpregs)); } @@ -190,7 +200,9 @@ proc_write_fpregs(struct thread *td, struct fpreg *fpregs) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_fpregs(td, fpregs)); } @@ -201,7 +213,9 @@ proc_read_regs32(struct thread *td, struct reg32 *regs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_regs32(td, regs32)); } @@ -210,7 +224,9 @@ proc_write_regs32(struct thread *td, struct reg32 *regs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_regs32(td, regs32)); } @@ -219,7 +235,9 @@ proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_dbregs32(td, dbregs32)); } @@ -228,7 +246,9 @@ proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_dbregs32(td, dbregs32)); } @@ -237,7 +257,9 @@ proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(fill_fpregs32(td, fpregs32)); } @@ -246,7 +268,9 @@ proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(set_fpregs32(td, fpregs32)); } @@ -256,7 +280,9 @@ proc_sstep(struct thread *td) { +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); +#endif PROC_ACTION(ptrace_single_step(td)); } @@ -269,7 +295,9 @@ vm_prot_t reqprot; int error, fault_flags, page_offset, writing; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif /* * Assert that someone has locked this vmspace. (Should be @@ -366,7 +394,9 @@ u_int pathlen; int error, index; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif error = 0; obj = NULL; @@ -474,7 +504,9 @@ struct ptrace_vm_entry pve; int error; +#ifdef TESLA_PROC TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); +#endif pve.pve_entry = pve32->pve_entry; pve.pve_pathlen = pve32->pve_pathlen; ==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#4 (text+ko) ==== @@ -425,9 +425,11 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type, proto) == 0); #endif +#endif if (proto) prp = pffindproto(dom, proto, type); @@ -625,9 +627,11 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif +#endif CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_bind)(so, nam, td); @@ -641,9 +645,11 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif +#endif CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_bindat)(fd, so, nam, td); @@ -669,8 +675,10 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0); #endif +#endif CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_listen)(so, backlog, td); @@ -921,9 +929,11 @@ #ifdef MAC /* Access-control check is on head rather than so. */ +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) == 0); #endif +#endif SOCK_LOCK(so); KASSERT((so->so_state & SS_NOFDREF) != 0, ("soaccept: !NOFDREF")); @@ -941,9 +951,11 @@ { #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so, nam) == 0); #endif +#endif return (soconnectat(AT_FDCWD, so, nam, td)); } @@ -1483,7 +1495,9 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0); +#ifdef TESLA_MAC #endif CURVNET_SET(so->so_vnet); @@ -2443,8 +2457,10 @@ int error; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0); #endif +#endif CURVNET_SET(so->so_vnet); error = (so->so_proto->pr_usrreqs->pru_soreceive(so, psa, uio, mp0, @@ -3124,8 +3140,10 @@ * XXXRW: Should be active_cred but actually fp->f_cred is getting * passed down the stack, so the wrong cred here! */ +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif +#endif SOCKBUF_LOCK(&so->so_snd); SOCKBUF_LOCK(&so->so_rcv); @@ -3173,8 +3191,10 @@ struct sockbuf *sb; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif +#endif switch (kn->kn_filter) { case EVFILT_READ: ==== //depot/projects/ctsrd/tesla/src/sys/kern/vfs_vnops.c#5 (text+ko) ==== @@ -710,10 +710,12 @@ } offset = uio->uio_offset; +#ifdef TESLA_CAPSICUM TESLA_WITHIN(kern_readv, previously(fget_unlocked(ANY(ptr), ANY(int), bitmask(CAP_READ), ANY(int), &fp, ANY(ptr)) == 0)); TESLA_WITHIN(kern_preadv, previously(fget_unlocked(ANY(ptr), ANY(int), bitmask(CAP_PREAD), ANY(int), &fp, ANY(ptr)) == 0)); +#endif #ifdef MAC error = mac_vnode_check_read(active_cred, fp->f_cred, vp); if (error == 0) @@ -819,10 +821,12 @@ } offset = uio->uio_offset; +#ifdef TESLA_CAPSICUM TESLA_WITHIN(kern_writev, previously(fget_unlocked(ANY(ptr), ANY(int), bitmask(CAP_WRITE), ANY(int), &fp, ANY(ptr)) == 0)); TESLA_WITHIN(kern_pwritev, previously(fget_unlocked(ANY(ptr), ANY(int), bitmask(CAP_PWRITE), ANY(int), &fp, ANY(ptr)) == 0)); +#endif #ifdef MAC error = mac_vnode_check_write(active_cred, fp->f_cred, vp); if (error == 0) @@ -1211,8 +1215,10 @@ if (error) goto out; #endif +#ifdef TESLA_CAPSICUM TESLA_WITHIN(kern_ftruncate, previously(fget_unlocked(ANY(ptr), ANY(int), bitmask(CAP_FTRUNCATE), ANY(int), &fp, ANY(ptr)) == 0)); +#endif error = vn_writechk(vp); if (error == 0) { VATTR_NULL(&vattr); ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#3 (text+ko) ==== @@ -196,8 +196,10 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel) { +#ifdef TESLA_MAC TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) == 0)); +#endif MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); } ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#3 (text+ko) ==== @@ -143,8 +143,10 @@ struct label *newlabel) { +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel) == 0); +#endif MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, newlabel); ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#4 (text+ko) ==== @@ -172,7 +172,9 @@ } imgp->execlabel = label; +#ifdef TESLA_MAC TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit)); +#endif return (0); } @@ -181,7 +183,9 @@ mac_execve_exit(struct image_params *imgp) { +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr)))); +#endif if (imgp->execlabel != NULL) { mac_cred_label_free(imgp->execlabel); @@ -200,7 +204,9 @@ } else *interpvplabel = NULL; +#ifdef TESLA_MAC TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit)); +#endif } void @@ -209,8 +215,10 @@ if (interpvplabel != NULL) { /* Awkwardly, _exit() may be called even if _enter() wasn't. */ +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(called( mac_execve_interpreter_enter(ANY(ptr), ANY(ptr)))); +#endif mac_vnode_label_free(interpvplabel); } ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#3 (text+ko) ==== @@ -258,8 +258,10 @@ struct label *newlabel) { +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel) == 0); +#endif SOCK_LOCK_ASSERT(so); ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#3 (text+ko) ==== @@ -949,8 +949,10 @@ struct label *newlabel) { +#ifdef TESLA_MAC TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel) == 0)); +#endif MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#14 (text+ko) ==== @@ -440,11 +440,13 @@ vp = ap->a_vp; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(incallstack(ufs_readdir) || previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0)); TESLA_PAGE_FAULT(incallstack(ufs_readdir) || previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0)); #endif +#endif uio = ap->a_uio; ioflag = ap->a_ioflag; @@ -668,11 +670,13 @@ vp = ap->a_vp; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(previously(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp) == 0)); - TESLA_PAGE_FAULT(previously(mac_vnode_check_WRITE(ANY(ptr), ANY(ptr), + TESLA_PAGE_FAULT(previously(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp) == 0)); #endif +#endif uio = ap->a_uio; ioflag = ap->a_ioflag; @@ -1484,10 +1488,12 @@ u_char *eae, *p; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(incallstack(ufs_setacl) || previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); #endif +#endif ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1577,10 +1583,12 @@ int error, ealen; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(incallstack(ufs_getacl) || previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); #endif +#endif ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1639,9 +1647,11 @@ int error, ealen; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace) == 0); #endif +#endif ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1708,10 +1718,12 @@ u_char *eae, *p; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(incallstack(ufs_setacl) || mac_vnode_check_setextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0); #endif +#endif ip = VTOI(ap->a_vp); fs = ip->i_fs; ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#3 (text+ko) ==== @@ -364,9 +364,11 @@ { #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); #endif +#endif if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0) return (EOPNOTSUPP); @@ -620,6 +622,7 @@ { #ifdef MAC +#ifdef TESLA_MAC if (ap->a_aclp == NULL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); @@ -627,6 +630,7 @@ TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setacl(ANY(ptr), ap->a_vp, ap->a_type, ap->a_aclp) == 0); #endif +#endif if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0) return (EOPNOTSUPP); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#4 (text+ko) ==== @@ -213,9 +213,11 @@ { #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp, ap->a_cnp) == 0); #endif +#endif return (ufs_lookup_ino(ap->a_dvp, ap->a_vpp, ap->a_cnp, NULL)); } ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#4 (text+ko) ==== @@ -274,9 +274,11 @@ struct inode *ip; #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL(incallstack(kern_execve) || mac_vnode_check_open(ANY(ptr), vp, ANY(int)) == 0); #endif +#endif if (vp->v_type == VCHR || vp->v_type == VBLK) return (EOPNOTSUPP); @@ -538,9 +540,11 @@ } if (vap->va_flags != VNOVAL) { #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setflags(ANY(ptr), vp, ANY(int)) == 0); #endif +#endif if ((vap->va_flags & ~(UF_NODUMP | UF_IMMUTABLE | UF_APPEND | UF_OPAQUE | UF_NOUNLINK | SF_ARCHIVED | SF_IMMUTABLE | SF_APPEND | SF_NOUNLINK | SF_SNAPSHOT)) != 0) @@ -605,9 +609,11 @@ } if (vap->va_size != VNOVAL) { #ifdef MAC +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp) == 0); #endif +#endif /* * XXX most of the following special cases should be in @@ -653,10 +659,12 @@ * XXXRW: TESLA can't currently instrument functions with * struct arguments. */ +#ifdef TESLA_MAC TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setutimes(ANY(ptr), vp, ANY(timespec), ANY(timespec)) == 0); #endif #endif +#endif if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); @@ -792,9 +800,11 @@ int error; #ifdef MAC >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307232120.r6NLKSAd099408>