Date: Mon, 25 Jun 2007 10:31:00 GMT From: Zhouyi ZHOU <zhouzhouyi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 122275 for review Message-ID: <200706251031.l5PAV05l019390@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=122275 Change 122275 by zhouzhouyi@zhouzhouyi_mactest on 2007/06/25 10:30:44 New implementation of logging mac_test check into userspace. The handling of log in mac_test_log.c is quick and dirty, I will revise it sooner or later. Affected files ... .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/LICENSE#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/Makefile#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/README#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/macproc.c#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/mactest.c#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/mactestparser.y#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/conf#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/misc.sh#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/signal/00.t#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/conf/files#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac/mac_policy.h#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac/mac_vfs.c#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_if.c#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_log.c#1 add .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_private.h#1 add Differences ... ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/conf/files#2 (text+ko) ==== @@ -2037,6 +2037,8 @@ security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids security/mac_stub/mac_stub.c optional mac_stub security/mac_test/mac_test.c optional mac_test +security/mac_test/mac_test_if.c optional mac_test +security/mac_test/mac_test_log.c optional mac_test ufs/ffs/ffs_alloc.c optional ffs ufs/ffs/ffs_balloc.c optional ffs ufs/ffs/ffs_inode.c optional ffs ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac/mac_policy.h#2 (text+ko) ==== @@ -631,6 +631,7 @@ mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label; mpo_init_cred_label_t mpo_init_cred_label; mpo_init_devfs_label_t mpo_init_devfs_label; + mpo_init_devfs_label_t mpo_init_mactest_label; mpo_placeholder_t _mpo_placeholder0; mpo_init_ifnet_label_t mpo_init_ifnet_label; mpo_init_inpcb_label_t mpo_init_inpcb_label; ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac/mac_vfs.c#2 (text+ko) ==== @@ -59,13 +59,13 @@ #include <sys/file.h> #include <sys/namei.h> #include <sys/sysctl.h> - #include <vm/vm.h> #include <vm/pmap.h> #include <vm/vm_map.h> #include <vm/vm_object.h> #include <fs/devfs/devfs.h> +#include <sys/dirent.h> #include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> @@ -90,11 +90,24 @@ return (label); } +static struct label * +mac_mactest_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_devfs_label, label); + MAC_PERFORM(init_mactest_label, label); + return (label); +} + void mac_init_devfs(struct devfs_dirent *de) { - - de->de_label = mac_devfs_label_alloc(); + if (de&&de->de_dirent&&!strncmp(de->de_dirent->d_name,"mactest", 7)) + de->de_label = mac_mactest_label_alloc(); + else + de->de_label = mac_devfs_label_alloc(); } static struct label * ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#2 (text+ko) ==== @@ -54,13 +54,15 @@ #include <sys/msg.h> #include <sys/proc.h> #include <sys/vnode.h> +#include <sys/uio.h> #include <sys/sem.h> #include <sys/shm.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sx.h> #include <sys/sysctl.h> - +#include <sys/mac.h> +#include <sys/extattr.h> #include <fs/devfs/devfs.h> #include <net/bpfdesc.h> @@ -69,14 +71,22 @@ #include <net/if_var.h> #include <security/mac/mac_policy.h> +#include <security/mac_test/mac_test_private.h> -SYSCTL_DECL(_security_mac); +//SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, "TrustedBSD mac_test policy controls"); +int +mac_test_init_if(SYSCTL_HANDLER_ARGS); + +SYSCTL_PROC(_security_mac_test, OID_AUTO, pseudoinit, CTLTYPE_INT | CTLFLAG_RW, 0, 0, + mac_test_init_if, "I", "set to setup the pseudo interfaces for MAC test"); + #define MAGIC_BPF 0xfe1ad1b6 #define MAGIC_DEVFS 0x9ee79c32 +#define MAGIC_MACTESTLOG 0x9ee79c33 #define MAGIC_IFNET 0xc218b120 #define MAGIC_INPCB 0x4440f7bb #define MAGIC_IPQ 0x206188ef @@ -119,14 +129,16 @@ #define LABEL_CHECK(label, magic) do { \ if (label != NULL) { \ - KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ + KASSERT(SLOT(label) == magic || SLOT(label) == 0 || \ + SLOT(label) == MAGIC_MACTESTLOG, \ ("%s: bad %s label", __func__, #magic)); \ } \ } while (0) #define LABEL_DESTROY(label, magic) do { \ - if (SLOT(label) == magic || SLOT(label) == 0) { \ - SLOT_SET(label, MAGIC_FREE); \ + if (SLOT(label) == magic || SLOT(label) == 0 || \ + SLOT(label) == MAGIC_MACTESTLOG ) { \ + SLOT_SET(label, MAGIC_FREE); \ } else if (SLOT(label) == MAGIC_FREE) { \ DEBUGGER("%s: dup destroy", __func__); \ } else { \ @@ -150,7 +162,9 @@ static void mac_test_init_bpfdesc_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_bpfdesc_label\n", + strlen("mac_test_init_bpfdesc_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_BPF); COUNTER_INC(init_bpfdesc_label); } @@ -159,7 +173,9 @@ static void mac_test_init_cred_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_cred_label\n", + strlen("mac_test_init_cred_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_CRED); COUNTER_INC(init_cred_label); } @@ -168,16 +184,26 @@ static void mac_test_init_devfs_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_devfs_label\n", + strlen("mac_test_init_devfs_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_DEVFS); COUNTER_INC(init_devfs_label); } +static void +mac_test_init_mactest_label(struct label *label) +{ + LABEL_INIT(label, MAGIC_MACTESTLOG); +} + COUNTER_DECL(init_ifnet_label); static void mac_test_init_ifnet_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_ifnet_label\n", + strlen("mac_test_init_ifnet_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_IFNET); COUNTER_INC(init_ifnet_label); } @@ -186,7 +212,9 @@ static int mac_test_init_inpcb_label(struct label *label, int flag) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_inpcb_label\n", + strlen("mac_test_init_inpcb_label\n")); + MAC_TEST_LOG_DO_SUBMIT; if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_test_init_inpcb_label() at %s:%d", __FILE__, @@ -201,6 +229,9 @@ static void mac_test_init_sysv_msgmsg_label(struct label *label) { + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_sysv_msgmsg_label\n", + strlen("mac_test_init_sysv_msgmsg_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_SYSV_MSG); COUNTER_INC(init_sysv_msg_label); } @@ -209,6 +240,9 @@ static void mac_test_init_sysv_msgqueue_label(struct label *label) { + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_sysv_msgqueue_label\n", + strlen("mac_test_init_sysv_msgqueue_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_SYSV_MSQ); COUNTER_INC(init_sysv_msq_label); } @@ -217,6 +251,9 @@ static void mac_test_init_sysv_sem_label(struct label *label) { + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_sysv_sem_label\n", + strlen("mac_test_init_sysv_sem_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_SYSV_SEM); COUNTER_INC(init_sysv_sem_label); } @@ -225,6 +262,9 @@ static void mac_test_init_sysv_shm_label(struct label *label) { + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_sysv_shm_label\n", + strlen("mac_test_init_sysv_shm_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_SYSV_SHM); COUNTER_INC(init_sysv_shm_label); } @@ -233,7 +273,9 @@ static int mac_test_init_ipq_label(struct label *label, int flag) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_ipq_label\n", + strlen("mac_test_init_ipq_label\n")); + MAC_TEST_LOG_DO_SUBMIT; if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_test_init_ipq_label() at %s:%d", __FILE__, @@ -248,7 +290,9 @@ static int mac_test_init_mbuf_label(struct label *label, int flag) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_mbuf_label\n", + strlen("mac_test_init_mbuf_label\n")); + MAC_TEST_LOG_DO_SUBMIT; if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_test_init_mbuf_label() at %s:%d", __FILE__, @@ -263,7 +307,9 @@ static void mac_test_init_mount_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_mount_label\n", + strlen("mac_test_init_mount_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_MOUNT); COUNTER_INC(init_mount_label); } @@ -273,6 +319,9 @@ mac_test_init_socket_label(struct label *label, int flag) { + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_socket_label\n", + strlen("mac_test_init_socket_label\n")); + MAC_TEST_LOG_DO_SUBMIT; if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_test_init_socket_label() at %s:%d", __FILE__, @@ -287,7 +336,9 @@ static int mac_test_init_socket_peer_label(struct label *label, int flag) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_socket_peer_label\n", + strlen("mac_test_init_socket_peer_label\n")); + MAC_TEST_LOG_DO_SUBMIT; if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_test_init_socket_peer_label() at %s:%d", __FILE__, @@ -302,7 +353,9 @@ static void mac_test_init_pipe_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_pipe_label\n", + strlen("mac_test_init_pipe_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_PIPE); COUNTER_INC(init_pipe_label); } @@ -311,7 +364,9 @@ static void mac_test_init_posix_sem_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_posix_sem_label\n", + strlen("mac_test_init_posix_sem_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_POSIX_SEM); COUNTER_INC(init_posix_sem_label); } @@ -320,7 +375,9 @@ static void mac_test_init_proc_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_proc_label\n", + strlen("mac_test_init_proc_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_PROC); COUNTER_INC(init_proc_label); } @@ -329,7 +386,9 @@ static void mac_test_init_vnode_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_init_vnode_label\n", + strlen("mac_test_init_vnode_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_INIT(label, MAGIC_VNODE); COUNTER_INC(init_vnode_label); } @@ -338,7 +397,9 @@ static void mac_test_destroy_bpfdesc_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_bpfdesc_label\n", + strlen("mac_test_destroy_bpfdesc_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_BPF); COUNTER_INC(destroy_bpfdesc_label); } @@ -347,7 +408,9 @@ static void mac_test_destroy_cred_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_cred_label\n", + strlen("mac_test_destroy_cred_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_CRED); COUNTER_INC(destroy_cred_label); } @@ -356,7 +419,9 @@ static void mac_test_destroy_devfs_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_devfs_label\n", + strlen("mac_test_destroy_devfs_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_DEVFS); COUNTER_INC(destroy_devfs_label); } @@ -365,7 +430,9 @@ static void mac_test_destroy_ifnet_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_ifnet_label\n", + strlen("mac_test_destroy_ifnet_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_IFNET); COUNTER_INC(destroy_ifnet_label); } @@ -374,7 +441,9 @@ static void mac_test_destroy_inpcb_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_inpcb_label\n", + strlen("mac_test_destroy_inpcb_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_INPCB); COUNTER_INC(destroy_inpcb_label); } @@ -383,7 +452,9 @@ static void mac_test_destroy_sysv_msgmsg_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_sysv_msgmsg_label\n", + strlen("mac_test_destroy_sysv_msgmsg__label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SYSV_MSG); COUNTER_INC(destroy_sysv_msg_label); } @@ -392,7 +463,9 @@ static void mac_test_destroy_sysv_msgqueue_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_sysv_msgqueue_label\n", + strlen("mac_test_destroy_sysv_msgqueue_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SYSV_MSQ); COUNTER_INC(destroy_sysv_msq_label); } @@ -401,7 +474,9 @@ static void mac_test_destroy_sysv_sem_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_sysv_sem_label\n", + strlen("mac_test_destroy_sysv_sem_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SYSV_SEM); COUNTER_INC(destroy_sysv_sem_label); } @@ -410,7 +485,9 @@ static void mac_test_destroy_sysv_shm_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_sysv_shm_label\n", + strlen("mac_test_destroy_sysv_shm_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SYSV_SHM); COUNTER_INC(destroy_sysv_shm_label); } @@ -419,7 +496,9 @@ static void mac_test_destroy_ipq_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_ipq_label\n", + strlen("mac_test_destroy_ipq_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_IPQ); COUNTER_INC(destroy_ipq_label); } @@ -428,7 +507,9 @@ static void mac_test_destroy_mbuf_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_mbuf_label\n", + strlen("mac_test_destroy_mbuf_label\n")); + MAC_TEST_LOG_DO_SUBMIT; /* * If we're loaded dynamically, there may be mbufs in flight that * didn't have label storage allocated for them. Handle this @@ -445,7 +526,9 @@ static void mac_test_destroy_mount_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_mount_label\n", + strlen("mac_test_destroy_mount_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_MOUNT); COUNTER_INC(destroy_mount_label); } @@ -454,7 +537,9 @@ static void mac_test_destroy_socket_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_socket_label\n", + strlen("mac_test_destroy_socket_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SOCKET); COUNTER_INC(destroy_socket_label); } @@ -463,7 +548,9 @@ static void mac_test_destroy_socket_peer_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_socket_peer_label\n", + strlen("mac_test_destroy_socket_peer_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_SOCKET); COUNTER_INC(destroy_socket_peer_label); } @@ -472,7 +559,9 @@ static void mac_test_destroy_pipe_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_pipe_label\n", + strlen("mac_test_destroy_pipe_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_PIPE); COUNTER_INC(destroy_pipe_label); } @@ -481,7 +570,9 @@ static void mac_test_destroy_posix_sem_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_posix_sem_label\n", + strlen("mac_test_destroy_posix_sem_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_POSIX_SEM); COUNTER_INC(destroy_posix_sem_label); } @@ -490,7 +581,9 @@ static void mac_test_destroy_proc_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_proc_label\n", + strlen("mac_test_destroy_proc_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_PROC); COUNTER_INC(destroy_proc_label); } @@ -499,7 +592,9 @@ static void mac_test_destroy_vnode_label(struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_destroy_vnode_label\n", + strlen("mac_test_destroy_vnode_label\n")); + MAC_TEST_LOG_DO_SUBMIT; LABEL_DESTROY(label, MAGIC_VNODE); COUNTER_INC(destroy_vnode_label); } @@ -508,7 +603,9 @@ static void mac_test_copy_cred_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_cred_label with src label:", + strlen("mac_test_copy_cred_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(cred,src); LABEL_CHECK(src, MAGIC_CRED); LABEL_CHECK(dest, MAGIC_CRED); COUNTER_INC(copy_cred_label); @@ -518,7 +615,9 @@ static void mac_test_copy_ifnet_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_ifnet_label with src label:", + strlen("mac_test_copy_ifnet_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(ifnet,src); LABEL_CHECK(src, MAGIC_IFNET); LABEL_CHECK(dest, MAGIC_IFNET); COUNTER_INC(copy_ifnet_label); @@ -528,7 +627,9 @@ static void mac_test_copy_mbuf_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_mbuf_label with src label:", + strlen("mac_test_copy_mbuf_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(vnode,src); LABEL_CHECK(src, MAGIC_MBUF); LABEL_CHECK(dest, MAGIC_MBUF); COUNTER_INC(copy_mbuf_label); @@ -538,7 +639,9 @@ static void mac_test_copy_pipe_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_pipe_label with src label:", + strlen("mac_test_copy_pipe_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(pipe,src); LABEL_CHECK(src, MAGIC_PIPE); LABEL_CHECK(dest, MAGIC_PIPE); COUNTER_INC(copy_pipe_label); @@ -548,7 +651,9 @@ static void mac_test_copy_socket_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_socket_label with src label:", + strlen("mac_test_copy_socket_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(socket,src); LABEL_CHECK(src, MAGIC_SOCKET); LABEL_CHECK(dest, MAGIC_SOCKET); COUNTER_INC(copy_socket_label); @@ -558,7 +663,9 @@ static void mac_test_copy_vnode_label(struct label *src, struct label *dest) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_copy_vnode_label with src label:", + strlen("mac_test_copy_vnode_label with src label:")); + MAC_TEST_LOG_SUBMIT_LABEL(vnode,src); LABEL_CHECK(src, MAGIC_VNODE); LABEL_CHECK(dest, MAGIC_VNODE); COUNTER_INC(copy_vnode_label); @@ -598,19 +705,39 @@ struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_associate_vnode_devfs " + "with mplabel delabel and vplabel:", + strlen("mac_test_associate_vnode_devfs with mplabel delabel and vplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(vnode,mplabel,vnode,delabel,vnode,vplabel); + if (delabel != NULL && SLOT(delabel) == MAGIC_MACTESTLOG) + LABEL_INIT(vplabel, MAGIC_MACTESTLOG); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_devfs); } - +/* + * To avoid recursion on reading /dev/mactest to a tempory file + * we associate the file with "mac_test" mac_test extattr with + * MAGIC_MACTESTLOG label + */ + COUNTER_DECL(associate_vnode_extattr); static int mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { - + char mac_test[64]; + int error, buflen = 64; + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_associate_vnode_extattr with " + "mplabel and vplabel:", + strlen("mac_test_associate_vnode_extattr with mplabel and vplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel); + bzero(mac_test,buflen); + error = vn_extattr_get(vp, IO_NODELOCKED, EXTATTR_NAMESPACE_SYSTEM, + "mac_test", &buflen, mac_test, curthread); + if (!error && !strncmp(mac_test,"mac_test", 8)) + LABEL_INIT(vplabel, MAGIC_MACTESTLOG); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_extattr); @@ -623,7 +750,10 @@ mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_associate_vnode_singlelabel " + "with mplabel and vplabel:", + strlen("mac_test_associate_vnode_singlelabel with mplabel and vplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_singlelabel); @@ -634,9 +764,15 @@ mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { - - if (cred != NULL) + struct label * tmplabel; + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_devfs_device with cr_label and delabel:", + strlen("mac_test_create_devfs_device with cr_label and delabel:")); + if (cred != NULL){ LABEL_CHECK(cred->cr_label, MAGIC_CRED); + tmplabel = cred->cr_label; + }else + tmplabel = 0; + MAC_TEST_LOG_SUBMIT_LABEL2(cred, 0, vnode,delabel); LABEL_CHECK(delabel, MAGIC_DEVFS); COUNTER_INC(create_devfs_device); } @@ -646,7 +782,9 @@ mac_test_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_devfs_directory with delabel:", + strlen("mac_test_create_devfs_directory with delabel:")); + MAC_TEST_LOG_SUBMIT_LABEL(vnode,delabel); LABEL_CHECK(delabel, MAGIC_DEVFS); COUNTER_INC(create_devfs_directory); } @@ -657,7 +795,10 @@ struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_devfs_symlink " + "with cr_label ddlabel and delabel:", + strlen("mac_test_create_devfs_symlink with cr_label ddlabel and delabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred, cred->cr_label, vnode,ddlabel,vnode,delabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ddlabel, MAGIC_DEVFS); LABEL_CHECK(delabel, MAGIC_DEVFS); @@ -670,7 +811,12 @@ struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_vnode_extattr with " + "cr_label mplabel dvplabel and vplabel:", + strlen("mac_test_create_vnode_extattr with cr_label " + "mplabel dvplabel and vplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL4(cred,cred->cr_label,vnode,mplabel,vnode, + dvplabel,vnode,vplabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(dvplabel, MAGIC_VNODE); @@ -684,7 +830,9 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp, struct label *mplabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_mount with cr_label and mplabel:", + strlen("mac_test_create_mount with cr_label and mplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred,cred->cr_label,vnode,mplabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); COUNTER_INC(create_mount); @@ -695,7 +843,9 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_relabel_vnode with cr_label vplabel and label:", + strlen("mac_test_relabel_vnode with cr_label vplabel and label:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred,cred->cr_label,vnode,vplabel,vnode,label); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(label, MAGIC_VNODE); @@ -707,7 +857,10 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_setlabel_vnode_extattr with " + "cr_label vplabel and intlabel:", + strlen("mac_test_setlabel_vnode_extattr with cr_label vplabel and intlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred,cred->cr_label,vnode,vplabel,vnode,intlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(intlabel, MAGIC_VNODE); @@ -721,7 +874,9 @@ mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vplabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_update_devfs with direntlabel and vplabel:", + strlen("mac_test_update_devfs with direntlabel and vplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,direntlabel,vnode,vplabel); LABEL_CHECK(direntlabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(update_devfs); @@ -735,7 +890,10 @@ mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_mbuf_from_socket" + " with socketlabel and mbuflabel:", + strlen("mac_test_update_devfs with socketlabel and mbuflabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(socket,socketlabel,vnode,mbuflabel); LABEL_CHECK(socketlabel, MAGIC_SOCKET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); COUNTER_INC(create_mbuf_from_socket); @@ -746,7 +904,9 @@ mac_test_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_socket with cr_label and socketlabel:", + strlen("mac_test_create_socket with cr_label and socketlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred,cred->cr_label,socket,socketlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(socketlabel, MAGIC_SOCKET); COUNTER_INC(create_socket); @@ -757,7 +917,9 @@ mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_pipe with cr_label and pipelabel:", + strlen("mac_test_create_socket with cr_label and pipelabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred,cred->cr_label,pipe,pipelabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); COUNTER_INC(create_pipe); @@ -768,7 +930,9 @@ mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, struct label *posixlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_posix_sem with cr_label and posixlabel:", + strlen("mac_test_create_socket with cr_label and posixlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred,cred->cr_label,vnode,posixlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM); COUNTER_INC(create_posix_sem); @@ -780,7 +944,11 @@ struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_socket_from_socket with " + "oldsocketlabel and newsocketlabel:", + strlen("mac_test_create_socket_from_socket with oldsocketlabel " + "and newsocketlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(socket,oldsocketlabel,socket,newsocketlabel); LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); COUNTER_INC(create_socket_from_socket); @@ -791,7 +959,10 @@ mac_test_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_relabel_socket with cr_label " + "socketlabel and newlabel:", + strlen("mac_test_relabel_socket with cr_label socketlabel and newlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred,cred->cr_label,socket,socketlabel,socket,newlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_SOCKET); COUNTER_INC(relabel_socket); @@ -802,7 +973,10 @@ mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_relabel_pipe with cr_label " + "pipelabel and newlabel:", + strlen("mac_test_relabel_pipe with cr_label pipelabel and newlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred,cred->cr_label,pipe,pipelabel,pipe,newlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); @@ -814,7 +988,10 @@ mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_set_socket_peer_from_mbuf with " + "mbuflabel and socketpeerlabel:", + strlen("mac_test_set_socket_peer_from_mbuf with mbuflabel and socketpeerlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,mbuflabel,socket,socketpeerlabel); LABEL_CHECK(mbuflabel, MAGIC_MBUF); LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); COUNTER_INC(set_socket_peer_from_mbuf); @@ -829,7 +1006,11 @@ struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_set_socket_peer_from_socket with" + " oldsocketlabel and newsocketpeerlabel:", + strlen("mac_test_set_socket_peer_from_socket with " + "oldsocketlabel and newsocketpeerlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(socket,oldsocketlabel,socket,newsocketpeerlabel); LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); COUNTER_INC(set_socket_peer_from_socket); @@ -840,7 +1021,9 @@ mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_bpfdesc with cr_label and bpflabel:", + strlen("mac_test_create_bpfdesc with cr_label and bpflabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred,cred->cr_label,vnode,bpflabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(bpflabel, MAGIC_BPF); COUNTER_INC(create_bpfdesc); @@ -851,7 +1034,10 @@ mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_datagram_from_ipq " + "with ipqlabel and datagramlabel:", + strlen("mac_test_create_datagram_from_ipq with ipqlabel and datagramlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,ipqlabel,vnode,datagramlabel); LABEL_CHECK(ipqlabel, MAGIC_IPQ); LABEL_CHECK(datagramlabel, MAGIC_MBUF); COUNTER_INC(create_datagram_from_ipq); @@ -862,7 +1048,10 @@ mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_fragment " + "with datagramlabel and fragmentlabel:", + strlen("mac_test_create_fragment with datagramlabel and fragmentlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode,datagramlabel,vnode,fragmentlabel); LABEL_CHECK(datagramlabel, MAGIC_MBUF); LABEL_CHECK(fragmentlabel, MAGIC_MBUF); COUNTER_INC(create_fragment); @@ -872,7 +1061,10 @@ static void mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_ifnet " + "with ifnetlabel:", + strlen("mac_test_create_ifnet with ifnetlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL(ifnet,ifnetlabel); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); COUNTER_INC(create_ifnet); } @@ -882,7 +1074,10 @@ mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_inpcb_from_socket " + "with solabel and inplabel:", + strlen("mac_test_create_inpcb_from_socket with solabel and inplabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(socket, solabel, ifnet, inplabel); LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(inplabel, MAGIC_INPCB); COUNTER_INC(create_inpcb_from_socket); @@ -893,7 +1088,10 @@ mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_sysv_msgmsg " + "with cr_label msqlabel and msglabel:", + strlen("mac_test_create_sysv_msgmsg with cr_label msqlabel and msglabel:")); + MAC_TEST_LOG_SUBMIT_LABEL3(cred, cred->cr_label, cred, msqlabel, cred, msglabel); LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); COUNTER_INC(create_sysv_msgmsg); @@ -904,7 +1102,10 @@ mac_test_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_sysv_msgqueue " + "with msqlabel:", + strlen("mac_test_create_sysv_msgqueue with msqlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL(vnode, msqlabel); LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); COUNTER_INC(create_sysv_msgqueue); } @@ -914,7 +1115,10 @@ mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_sysv_sem " + "with cr_label and semalabel:", + strlen("mac_test_create_sysv_sem with cr_label and semalabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred, cred->cr_label, vnode, semalabel); LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); COUNTER_INC(create_sysv_sem); } @@ -924,7 +1128,10 @@ mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_sysv_shm " + "with cr_label and shmlabel:", + strlen("mac_test_create_sysv_shm with cr_label and shmlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(cred, cred->cr_label, vnode, shmlabel); LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); COUNTER_INC(create_sysv_shm); } @@ -934,7 +1141,10 @@ mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { - + MAC_TEST_LOG_SUBMIT_WITHPID("mac_test_create_ipq " + "with fragmentlabel and ipqlabel:", + strlen("mac_test_create_ipq with fragmentlabel and ipqlabel:")); + MAC_TEST_LOG_SUBMIT_LABEL2(vnode, fragmentlabel, vnode, ipqlabel); >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706251031.l5PAV05l019390>