Date: Tue, 13 Nov 2012 16:49:36 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 219768 for review Message-ID: <201211131649.qADGnaBP030305@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@219768?ac=10 Change 219768 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2012/11/13 16:48:52 Export a counter of CHERI system call violations (i.e., blocked attempts to directly invoke system calls from within a sandbox). Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#10 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#10 (text+ko) ==== @@ -33,9 +33,11 @@ #include <sys/param.h> #include <sys/kernel.h> #include <sys/proc.h> +#include <sys/sysctl.h> #include <ddb/ddb.h> +#include <machine/atomic.h> #include <machine/cheri.h> #include <machine/pcb.h> @@ -54,6 +56,14 @@ * call, and reload them afterwards. */ +static SYSCTL_NODE(_security, OID_AUTO, cheri, CTLFLAG_RD, 0, + "CHERI parameters and statistics"); + +/* XXXRW: Should possibly be u_long. */ +static u_int security_cheri_syscall_violations; +SYSCTL_UINT(_security_cheri, OID_AUTO, syscall_violations, CTLFLAG_RD, + &security_cheri_syscall_violations, 0, "Number of system calls blocked"); + /* * Given an existing more privileged capability (fromcrn), build a new * capability in tocrn with the contents of the passed flattened @@ -346,8 +356,10 @@ intr_enable(); if (c.c_perms != CHERI_CAP_USER_PERMS || c.c_base != CHERI_CAP_USER_BASE || - c.c_length != CHERI_CAP_USER_LENGTH) + c.c_length != CHERI_CAP_USER_LENGTH) { + atomic_add_int(&security_cheri_syscall_violations, 1); return (ECAPMODE); + } return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211131649.qADGnaBP030305>