Date: Thu, 30 Jun 2005 14:49:30 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 79303 for review Message-ID: <200506301449.j5UEnULE036724@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79303 Change 79303 by rwatson@rwatson_zoo on 2005/06/30 14:48:57 Add an AVC auditing frob, selinux_auditing, similar to selinux_enforcing, in order to make it easier to enable and disable auditing during debugging. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 (text+ko) ==== @@ -39,6 +39,7 @@ #include <security/sebsd/avc/av_inherit.h> #include <security/sebsd/avc/av_perm_to_string.h> +int selinux_auditing = 1; int selinux_enforcing = 0; #define AVC_CACHE_SLOTS 512 @@ -503,6 +504,17 @@ static inline int check_avc_ratelimit(void) { + + /* + * If auditing is not enabled, suppress all messages. + */ + if (!selinux_auditing) + return 0; + + /* + * Otherwise, rate limit messages in enforcing mode, or display all + * messages in permissive mode. + */ if (selinux_enforcing) return avc_ratelimit(); else { @@ -515,7 +527,14 @@ static inline int check_avc_ratelimit(void) { - return 1; + + /* + * If auditing is not enabled, suppress all audit messages. + */ + if (selinux_auditing) + return 1; + else + return 0; } #endif ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 (text+ko) ==== @@ -22,6 +22,8 @@ #include <security/sebsd/avc/av_permissions.h> #include <security/sebsd/ss/security.h> +extern int selinux_auditing; + #define CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ==== @@ -97,6 +97,40 @@ } /* + * Sysctl handler for security.mac.sebsd.auditing. Get or set whether the + * avc will audit failures. + */ +static int +sysctl_sebsd_auditing(SYSCTL_HANDLER_ARGS) +{ + int error, auditing; + + /* TBD: XXX Always allow the users to find out? */ + auditing = selinux_auditing; + error = SYSCTL_OUT(req, &auditing, sizeof(auditing)); + if (error) + return (error); + + if (req->newptr != NULL) { + error = SYSCTL_IN(req, &auditing, sizeof(auditing)); + if (error) + return (error); + + /* + * Treat ability to set audit status as equivilent to + * changing enforcement status. + */ + error = thread_has_system (curthread, SECURITY__SETENFORCE); + if (error) + return error; + + selinux_auditing = auditing; + } + + return (0); +} + +/* * Sysctl handler for security.mac.sebsd.enforcing * Get and/or set whether the avc is in enforcement mode. */ @@ -312,5 +346,7 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A", "SEBSD access vector decision query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW, + NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506301449.j5UEnULE036724>