From owner-trustedbsd-cvs@FreeBSD.ORG Wed Aug 16 14:13:00 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37E1816A682 for ; Wed, 16 Aug 2006 14:13:00 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F14D43D45 for ; Wed, 16 Aug 2006 14:12:59 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 42D1346C87 for ; Wed, 16 Aug 2006 10:12:58 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id BD9269193D; Wed, 16 Aug 2006 14:12:53 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id E883216A588; Wed, 16 Aug 2006 14:12:43 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5DF916A4DF for ; Wed, 16 Aug 2006 14:12:43 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2521A43D46 for ; Wed, 16 Aug 2006 14:12:43 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k7GEChpj073359 for ; Wed, 16 Aug 2006 14:12:43 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k7GECg4F073355 for perforce@freebsd.org; Wed, 16 Aug 2006 14:12:42 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 16 Aug 2006 14:12:42 GMT Message-Id: <200608161412.k7GECg4F073355@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 104227 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2006 14:13:00 -0000 http://perforce.freebsd.org/chv.cgi?CH=104227 Change 104227 by rwatson@rwatson_zoo on 2006/08/16 14:12:28 sync to millert's cleanups in sedarwin: remove MAC_DEBUG -- this was originally added when doing early labeling work as part of the MAC Framework implementation, and has basically not been used since. Creating a policy module to do the same thing is trivial. Affected files ... .. //depot/projects/trustedbsd/mac2/sys/conf/NOTES#3 edit .. //depot/projects/trustedbsd/mac2/sys/conf/options#3 edit .. //depot/projects/trustedbsd/mac2/sys/kern/kern_mac.c#5 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_inet.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_internal.h#5 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_label.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_net.c#4 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_pipe.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_posix_sem.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_process.c#4 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_socket.c#4 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_system.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_msg.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_sem.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_shm.c#3 edit .. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_vfs.c#5 edit Differences ... ==== //depot/projects/trustedbsd/mac2/sys/conf/NOTES#3 (text+ko) ==== @@ -998,7 +998,6 @@ options MAC options MAC_BIBA options MAC_BSDEXTENDED -options MAC_DEBUG options MAC_IFOFF options MAC_LOMAC options MAC_MLS ==== //depot/projects/trustedbsd/mac2/sys/conf/options#3 (text+ko) ==== @@ -103,7 +103,6 @@ MAC_ALWAYS_LABEL_MBUF opt_mac.h MAC_BIBA opt_dontuse.h MAC_BSDEXTENDED opt_dontuse.h -MAC_DEBUG opt_mac.h MAC_IFOFF opt_dontuse.h MAC_LOMAC opt_dontuse.h MAC_MLS opt_dontuse.h ==== //depot/projects/trustedbsd/mac2/sys/kern/kern_mac.c#5 (text+ko) ==== @@ -137,17 +137,6 @@ int mac_labelmbufs = 0; #endif -#ifdef MAC_DEBUG -SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, - "TrustedBSD MAC debug info"); -SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, - "TrustedBSD MAC object counters"); - -static unsigned int nmactemp; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, - &nmactemp, 0, "number of temporary labels in use"); -#endif - static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_inet.c#3 (text+ko) ==== @@ -70,15 +70,6 @@ #include -#ifdef MAC_DEBUG -static unsigned int nmacinpcbs, nmacipqs; - -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, - &nmacinpcbs, 0, "number of inpcbs in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, - &nmacipqs, 0, "number of ipqs in use"); -#endif - static struct label * mac_inpcb_label_alloc(int flag) { @@ -94,7 +85,6 @@ mac_labelzone_free(label); return (NULL); } - MAC_DEBUG_COUNTER_INC(&nmacinpcbs); return (label); } @@ -124,7 +114,6 @@ mac_labelzone_free(label); return (NULL); } - MAC_DEBUG_COUNTER_INC(&nmacipqs); return (label); } @@ -144,7 +133,6 @@ MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); } void @@ -161,7 +149,6 @@ MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacipqs); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_internal.h#5 (text+ko) ==== @@ -46,10 +46,6 @@ #ifdef SYSCTL_DECL SYSCTL_DECL(_security); SYSCTL_DECL(_security_mac); -#ifdef MAC_DEBUG -SYSCTL_DECL(_security_mac_debug); -SYSCTL_DECL(_security_mac_debug_counters); -#endif #endif /* SYSCTL_DECL */ /* @@ -75,18 +71,6 @@ #endif /* - * MAC Framework object/access counter primitives, conditionally - * compiled. - */ -#ifdef MAC_DEBUG -#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1); -#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1); -#else -#define MAC_DEBUG_COUNTER_INC(x) -#define MAC_DEBUG_COUNTER_DEC(x) -#endif - -/* * MAC Framework infrastructure functions. */ int mac_error_select(int error1, int error2); ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_label.c#3 (text+ko) ==== ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_net.c#4 (text+ko) ==== @@ -77,17 +77,6 @@ &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); -#ifdef MAC_DEBUG -static unsigned int nmacbpfdescs, nmacifnets, nmacmbufs; - -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, - &nmacbpfdescs, 0, "number of bpfdescs in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, - &nmacifnets, 0, "number of ifnets in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, - &nmacmbufs, 0, "number of mbufs in use"); -#endif - /* * XXXRW: struct ifnet locking is incomplete in the network code, so we * use our own global mutex for struct ifnet. Non-ideal, but should help @@ -120,7 +109,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(bpfdesc_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); return (label); } @@ -138,7 +126,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(ifnet_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacifnets); return (label); } @@ -162,8 +149,6 @@ if (error) { MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacmbufs); } return (error); } @@ -203,7 +188,6 @@ MAC_PERFORM(bpfdesc_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } void @@ -220,7 +204,6 @@ MAC_PERFORM(ifnet_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacifnets); } void @@ -240,7 +223,6 @@ MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacmbufs); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_pipe.c#3 (text+ko) ==== @@ -61,12 +61,6 @@ &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); -#ifdef MAC_DEBUG -static unsigned int nmacpipes; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, - &nmacpipes, 0, "number of pipes in use"); -#endif - struct label * mac_pipe_label_alloc(void) { @@ -74,7 +68,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(pipe_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacpipes); return (label); } @@ -91,7 +84,6 @@ MAC_PERFORM(pipe_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacpipes); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_posix_sem.c#3 (text+ko) ==== @@ -54,12 +54,6 @@ &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores"); TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem); -#ifdef MAC_DEBUG -static unsigned int nmacposixsems; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_sems, CTLFLAG_RD, - &nmacposixsems, 0, "number of posix global semaphores inuse"); -#endif - static struct label * mac_posix_sem_label_alloc(void) { @@ -67,7 +61,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(posix_sem_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacposixsems); return (label); } @@ -83,7 +76,6 @@ { MAC_PERFORM(posix_sem_destroy_label, label); - MAC_DEBUG_COUNTER_DEC(&nmacposixsems); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_process.c#4 (text+ko) ==== @@ -96,14 +96,6 @@ &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations"); TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid); -#ifdef MAC_DEBUG -static unsigned int nmaccreds, nmacprocs; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, - &nmaccreds, 0, "number of ucreds in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, - &nmacprocs, 0, "number of procs in use"); -#endif - static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); @@ -114,7 +106,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(cred_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmaccreds); return (label); } @@ -132,7 +123,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(proc_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacprocs); return (label); } @@ -149,7 +139,6 @@ MAC_PERFORM(cred_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmaccreds); } void @@ -166,7 +155,6 @@ MAC_PERFORM(proc_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacprocs); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_socket.c#4 (text+ko) ==== @@ -81,13 +81,6 @@ &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); -#ifdef MAC_DEBUG -static unsigned int nmacsockets; - -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, - &nmacsockets, 0, "number of sockets in use"); -#endif - struct label * mac_socket_label_alloc(int flag) { @@ -104,7 +97,6 @@ mac_labelzone_free(label); return (NULL); } - MAC_DEBUG_COUNTER_INC(&nmacsockets); return (label); } @@ -124,7 +116,6 @@ mac_labelzone_free(label); return (NULL); } - MAC_DEBUG_COUNTER_INC(&nmacsockets); return (label); } @@ -150,7 +141,6 @@ MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacsockets); } static void @@ -159,7 +149,6 @@ MAC_PERFORM(socket_peer_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacsockets); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_system.c#3 (text+ko) ==== ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_msg.c#3 (text+ko) ==== @@ -63,14 +63,6 @@ "Enforce MAC policy on System V IPC Message Queues"); TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg); -#ifdef MAC_DEBUG -static unsigned int nmacipcmsgs, nmacipcmsqs; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD, - &nmacipcmsgs, 0, "number of sysv ipc messages inuse"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD, - &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse"); -#endif - static struct label * mac_sysvmsg_label_alloc(void) { @@ -78,7 +70,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(sysvmsg_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacipcmsgs); return (label); } @@ -96,7 +87,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(sysvmsq_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacipcmsqs); return (label); } @@ -113,7 +103,6 @@ MAC_PERFORM(sysvmsg_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs); } void @@ -130,7 +119,6 @@ MAC_PERFORM(sysvmsq_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_sem.c#3 (text+ko) ==== @@ -62,12 +62,6 @@ &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores"); TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem); -#ifdef MAC_DEBUG -static unsigned int nmacipcsemas; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD, - &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse"); -#endif - static struct label * mac_sysvsem_label_alloc(void) { @@ -75,7 +69,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(sysvsem_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacipcsemas); return (label); } @@ -92,7 +85,6 @@ MAC_PERFORM(sysvsem_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacipcsemas); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_shm.c#3 (text+ko) ==== @@ -63,12 +63,6 @@ "Enforce MAC policy on System V IPC shared memory"); TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm); -#ifdef MAC_DEBUG -static unsigned int nmacipcshms; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD, - &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse"); -#endif - static struct label * mac_sysvshm_label_alloc(void) { @@ -76,7 +70,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(sysvshm_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacipcshms); return (label); } @@ -93,7 +86,6 @@ MAC_PERFORM(sysvshm_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacipcshms); } void ==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_vfs.c#5 (text+ko) ==== @@ -83,23 +83,6 @@ &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); -#ifdef MAC_DEBUG -static int mac_debug_label_fallback = 0; -SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, - &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" - "when label is corrupted."); -TUNABLE_INT("security.mac.debug_label_fallback", - &mac_debug_label_fallback); - -static unsigned int nmacmounts, nmacvnodes, nmacdevfsdirents; -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, - &nmacmounts, 0, "number of mounts in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, - &nmacvnodes, 0, "number of vnodes in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, - &nmacdevfsdirents, 0, "number of devfs dirents inuse"); -#endif - static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); @@ -110,7 +93,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(devfs_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); return (label); } @@ -128,7 +110,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(mount_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacmounts); return (label); } @@ -146,7 +127,6 @@ label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(vnode_init_label, label); - MAC_DEBUG_COUNTER_INC(&nmacvnodes); return (label); } @@ -163,7 +143,6 @@ MAC_PERFORM(devfs_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); } void @@ -180,7 +159,6 @@ MAC_PERFORM(mount_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacmounts); } void @@ -197,7 +175,6 @@ MAC_PERFORM(vnode_destroy_label, label); mac_labelzone_free(label); - MAC_DEBUG_COUNTER_DEC(&nmacvnodes); } void