From owner-p4-projects@FreeBSD.ORG  Thu Jun 30 14:49:31 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id DDB6E16A420; Thu, 30 Jun 2005 14:49:30 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A082B16A41C
	for <perforce@freebsd.org>; Thu, 30 Jun 2005 14:49:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 82A2643D1D
	for <perforce@freebsd.org>; Thu, 30 Jun 2005 14:49:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j5UEnUh2036727
	for <perforce@freebsd.org>; Thu, 30 Jun 2005 14:49:30 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j5UEnULE036724
	for perforce@freebsd.org; Thu, 30 Jun 2005 14:49:30 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Thu, 30 Jun 2005 14:49:30 GMT
Message-Id: <200506301449.j5UEnULE036724@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 79303 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2005 14:49:31 -0000

http://perforce.freebsd.org/chv.cgi?CH=79303

Change 79303 by rwatson@rwatson_zoo on 2005/06/30 14:48:57

	Add an AVC auditing frob, selinux_auditing, similar to
	selinux_enforcing, in order to make it easier to enable and disable
	auditing during debugging.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 (text+ko) ====

@@ -39,6 +39,7 @@
 #include <security/sebsd/avc/av_inherit.h>
 #include <security/sebsd/avc/av_perm_to_string.h>
 
+int selinux_auditing = 1;
 int selinux_enforcing = 0;
 
 #define AVC_CACHE_SLOTS		512
@@ -503,6 +504,17 @@
 
 static inline int check_avc_ratelimit(void)
 {
+
+	/*
+	 * If auditing is not enabled, suppress all messages.
+	 */
+	if (!selinux_auditing)
+		return 0;
+
+	/*
+	 * Otherwise, rate limit messages in enforcing mode, or display all
+	 * messages in permissive mode.
+	 */
 	if (selinux_enforcing)
 		return avc_ratelimit();
 	else {
@@ -515,7 +527,14 @@
 
 static inline int check_avc_ratelimit(void)
 {
-	return 1;
+
+	/*
+	 * If auditing is not enabled, suppress all audit messages.
+	 */
+	if (selinux_auditing)
+		return 1;
+	else
+		return 0;
 }
 
 #endif

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 (text+ko) ====

@@ -22,6 +22,8 @@
 #include <security/sebsd/avc/av_permissions.h>
 #include <security/sebsd/ss/security.h>
 
+extern int selinux_auditing;
+
 #define CONFIG_SECURITY_SELINUX_DEVELOP
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ====

@@ -97,6 +97,40 @@
 }
 
 /*
+ * Sysctl handler for security.mac.sebsd.auditing.  Get or set whether the
+ * avc will audit failures.
+ */
+static int
+sysctl_sebsd_auditing(SYSCTL_HANDLER_ARGS)
+{
+	int error, auditing;
+
+	/* TBD: XXX Always allow the users to find out? */
+	auditing = selinux_auditing;
+	error = SYSCTL_OUT(req, &auditing, sizeof(auditing));
+	if (error)
+		return (error);
+
+	if (req->newptr != NULL) {
+		error = SYSCTL_IN(req, &auditing, sizeof(auditing));
+		if (error)
+			return (error);
+
+		/*
+		 * Treat ability to set audit status as equivilent to
+		 * changing enforcement status.
+		 */
+		error = thread_has_system (curthread, SECURITY__SETENFORCE);
+		if (error)
+			return error;
+
+		selinux_auditing = auditing;
+	}
+
+	return (0);
+}
+
+/*
  * Sysctl handler for security.mac.sebsd.enforcing
  * Get and/or set whether the avc is in enforcement mode.
  */
@@ -312,5 +346,7 @@
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
  	   CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
 	   "SEBSD access vector decision query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW,
+	   NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
 	   NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");