From owner-p4-projects@FreeBSD.ORG Sun Mar 9 19:25:27 2014 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id CF85B910; Sun, 9 Mar 2014 19:25:27 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77A4D90E for ; Sun, 9 Mar 2014 19:25:27 +0000 (UTC) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:1900:2254:2068::682:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 47E0EBF9 for ; Sun, 9 Mar 2014 19:25:27 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.8/8.14.8) with ESMTP id s29JPR3c052427 for ; Sun, 9 Mar 2014 19:25:27 GMT (envelope-from brooks@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.8/8.14.8/Submit) id s29JPRtU052424 for perforce@freebsd.org; Sun, 9 Mar 2014 19:25:27 GMT (envelope-from brooks@freebsd.org) Date: Sun, 9 Mar 2014 19:25:27 GMT Message-Id: <201403091925.s29JPRtU052424@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to brooks@freebsd.org using -f From: Brooks Davis Subject: PERFORCE change 1191638 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.17 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 19:25:28 -0000 http://p4web.freebsd.org/@@1191638?ac=10 Change 1191638 by brooks@brooks_zenith on 2014/03/09 19:24:35 Split MAC assertions in to FS, PROC, SOCKET, and MISC to aid benchmarking. The split isn't terriably principled and may need adjustment as we work toward something upstreamable. Affected files ... .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_FS_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_PROC_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/conf/options#7 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 edit Differences ... ==== //depot/projects/ctsrd/tesla/src/sys/conf/options#7 (text+ko) ==== @@ -674,6 +674,10 @@ TESLA opt_global.h TESLA_CAPSICUM opt_global.h TESLA_MAC_ALL opt_global.h +TESLA_MAC_FS opt_global.h +TESLA_MAC_MISC opt_global.h +TESLA_MAC_PROC opt_global.h +TESLA_MAC_SOCKET opt_global.h TESLA_PRIV opt_global.h TESLA_PROC opt_global.h TESLA_TEST opt_global.h ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 (text+ko) ==== @@ -2149,7 +2149,7 @@ euid = euip->ui_uid; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) || @@ -2183,7 +2183,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setegid(ANY(ptr), egid) == 0) || @@ -2217,7 +2217,7 @@ uid_t ruid = ruip->ui_uid; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) || @@ -2253,7 +2253,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) || @@ -2284,7 +2284,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) || @@ -2315,7 +2315,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) || ==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 (text+ko) ==== @@ -425,7 +425,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type, proto) == 0); #endif @@ -627,7 +627,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif @@ -645,7 +645,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif @@ -675,7 +675,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0); #endif #endif @@ -929,7 +929,7 @@ #ifdef MAC /* Access-control check is on head rather than so. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) == 0); #endif @@ -951,7 +951,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so, nam) == 0); #endif @@ -1495,7 +1495,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0); #endif #endif @@ -2457,7 +2457,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0); #endif #endif @@ -3140,7 +3140,7 @@ * XXXRW: Should be active_cred but actually fp->f_cred is getting * passed down the stack, so the wrong cred here! */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif #endif @@ -3191,7 +3191,7 @@ struct sockbuf *sb; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 (text+ko) ==== @@ -196,7 +196,7 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) == 0)); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 (text+ko) ==== @@ -143,7 +143,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 (text+ko) ==== @@ -172,7 +172,7 @@ } imgp->execlabel = label; -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit)); #endif @@ -183,7 +183,7 @@ mac_execve_exit(struct image_params *imgp) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr)))); #endif @@ -204,7 +204,7 @@ } else *interpvplabel = NULL; -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit)); #endif } @@ -215,7 +215,7 @@ if (interpvplabel != NULL) { /* Awkwardly, _exit() may be called even if _enter() wasn't. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(called( mac_execve_interpreter_enter(ANY(ptr), ANY(ptr)))); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 (text+ko) ==== @@ -258,7 +258,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 (text+ko) ==== @@ -949,7 +949,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel) == 0)); #endif ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 (text+ko) ==== @@ -440,7 +440,7 @@ vp = ap->a_vp; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( incallstack(ufs_readdir) || previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int), @@ -674,7 +674,7 @@ vp = ap->a_vp; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int), ANY(int), ANY(int), flags(IO_NOMACCHECK), ANY(ptr), ANY(ptr), @@ -1495,7 +1495,7 @@ u_char *eae, *p; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_setacl) || previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); @@ -1590,7 +1590,7 @@ int error, ealen; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_getacl) || previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); @@ -1654,7 +1654,7 @@ int error, ealen; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace) == 0); #endif @@ -1725,7 +1725,7 @@ u_char *eae, *p; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_setacl) || previously(mac_vnode_check_setextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 (text+ko) ==== @@ -364,7 +364,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); #endif @@ -622,7 +622,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) if (ap->a_aclp == NULL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 (text+ko) ==== @@ -53,7 +53,7 @@ #include #include -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) #include #endif @@ -217,7 +217,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp, ap->a_cnp) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 (text+ko) ==== @@ -274,7 +274,7 @@ struct inode *ip; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( previously(mac_kld_check_load(ANY(ptr), vp) == 0) || previously(mac_vnode_check_exec(ANY(ptr), vp, ANY(ptr)) == 0) || @@ -542,7 +542,7 @@ } if (vap->va_flags != VNOVAL) { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setflags(ANY(ptr), vp, ANY(int)) == 0); #endif @@ -611,7 +611,7 @@ } if (vap->va_size != VNOVAL) { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp) == 0); #endif @@ -661,7 +661,7 @@ * XXXRW: TESLA can't currently instrument functions with * struct arguments. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setutimes(ANY(ptr), vp, ANY(timespec), ANY(timespec)) == 0); #endif @@ -802,7 +802,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setmode(ANY(ptr), vp, mode) == 0); #endif @@ -875,7 +875,7 @@ #endif #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setowner(ANY(ptr), vp, uid, gid) == 0); #endif @@ -994,7 +994,7 @@ struct thread *td; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp, ap->a_cnp) == 0); #endif @@ -1050,7 +1050,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_link(ANY(ptr), tdvp, vp, cnp) == 0); #endif @@ -1220,7 +1220,7 @@ ino_t ino; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_from(ANY(ptr), fdvp, fvp, fcnp) == 0); TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_to(ANY(ptr), tdvp, @@ -1884,7 +1884,7 @@ long blkoff; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp, vap) == 0); #endif @@ -2125,7 +2125,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp, cnp) == 0); #endif @@ -2276,7 +2276,7 @@ off_t off; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readdir(ANY(ptr), ap->a_vp) == 0); #endif @@ -2392,7 +2392,7 @@ doff_t isize; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readlink(ANY(ptr), vp) == 0); #endif #endif @@ -2695,7 +2695,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp, ANY(ptr)) == 0); #endif