Date: Fri, 22 Aug 2003 09:59:52 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 36680 for review Message-ID: <200308221659.h7MGxqLs024954@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=36680 Change 36680 by cvance@cvance_osx_laptop on 2003/08/22 09:59:42 Sync with trustedbsd branch: - replace debug operations with macro calls - toggle enforcement flags - minor misc. code syncs Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#16 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#16 (text+ko) ==== @@ -132,7 +132,6 @@ */ static int ea_warn_once = 0; -#ifndef MAC_ALWAYS_LABEL_MBUF /* * Flag to indicate whether or not we should allocate label storage for * new mbufs. Since most dynamic policies we currently work with don't @@ -144,54 +143,55 @@ * already has to deal with uninitialized labels, this probably won't * be a problem. Note: currently no locking. Will this be a problem? */ +#ifndef MAC_ALWAYS_LABEL_MBUF static int mac_labelmbufs = 0; #endif -static int mac_enforce_fs = 0; +static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); -static int mac_enforce_kld = 0; +static int mac_enforce_kld = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); -static int mac_enforce_network = 0; +static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); -static int mac_enforce_pipe = 0; +static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); -static int mac_enforce_process = 0; +static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); -static int mac_enforce_socket = 0; +static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); -static int mac_enforce_system = 0; +static int mac_enforce_system = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, &mac_enforce_system, 0, "Enforce MAC policy on system operations"); TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); -static int mac_enforce_vm = 0; +static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); -static int mac_mmap_revocation = 0; +static int mac_mmap_revocation = 1; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " "relabel"); -static int mac_mmap_revocation_via_cow = 0; +static int mac_mmap_revocation_via_cow = 1; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); @@ -214,13 +214,16 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, "TrustedBSD MAC object counters"); -static unsigned int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0, +static u_int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0, nmacsockets=0, nmacmounts=0, nmactemp=0, nmacvnodes=0, nmacdevfsdirents=0, nmacipqs=0, nmacpipes=0, nmacprocs=0; +#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1); +#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1); + SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); -SYSCTL_INT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); @@ -242,6 +245,9 @@ &nmacvnodes, 0, "number of vnodes in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, &nmacdevfsdirents, 0, "number of devfs dirents inuse"); +#else +#define MAC_DEBUG_COUNTER_INC(x) +#define MAC_DEBUG_COUNTER_DEC(x) #endif static int error_select(int error1, int error2); @@ -564,31 +570,22 @@ static void mac_policy_updateflags(void) { +#ifndef MAC_ALWAYS_LABEL_MBUF struct mac_policy_conf *tmpc; -#ifndef MAC_ALWAYS_LABEL_MBUF int labelmbufs; -#endif mac_policy_assert_exclusive(); -#ifndef MAC_ALWAYS_LABEL_MBUF labelmbufs = 0; -#endif LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { -#ifndef MAC_ALWAYS_LABEL_MBUF if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) labelmbufs++; -#endif } LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { -#ifndef MAC_ALWAYS_LABEL_MBUF if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) labelmbufs++; -#endif } - -#ifndef MAC_ALWAYS_LABEL_MBUF mac_labelmbufs = (labelmbufs != 0); #endif } @@ -832,9 +829,7 @@ mac_init_label(&bpf_d->bd_label); MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacbpfdescs, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); } static void @@ -843,9 +838,7 @@ mac_init_label(label); MAC_PERFORM(init_cred_label, label); -#ifdef MAC_DEBUG - atomic_add_int(&nmaccreds, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmaccreds); } void @@ -862,9 +855,7 @@ mac_init_label(&de->de_label); MAC_PERFORM(init_devfsdirent_label, &de->de_label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacdevfsdirents, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); } #endif @@ -874,9 +865,7 @@ mac_init_label(label); MAC_PERFORM(init_ifnet_label, label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacifnets, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacifnets); } void @@ -897,11 +886,9 @@ if (error) { MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); + } else { + MAC_DEBUG_COUNTER_INC(&nmacipqs); } -#ifdef MAC_DEBUG - if (error == 0) - atomic_add_int(&nmacipqs, 1); -#endif return (error); } @@ -919,11 +906,9 @@ if (error) { MAC_PERFORM(destroy_mbuf_label, label); mac_destroy_label(label); + } else { + MAC_DEBUG_COUNTER_INC(&nmacmbufs); } -#ifdef MAC_DEBUG - if (error == 0) - atomic_add_int(&nmacmbufs, 1); -#endif return (error); } #endif @@ -964,13 +949,11 @@ if (error) { MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); + } else { + MAC_DEBUG_COUNTER_INC(&nmacmbufs); } #endif /* NO_MBUF */ -#ifdef MAC_DEBUG - if (error == 0) - atomic_add_int(&nmacmbufs, 1); #endif -#endif return (error); } @@ -982,9 +965,7 @@ mac_init_label(&mp->mnt_fslabel); MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); -#ifdef MAC_DEBUG - atomic_add_int(&nmacmounts, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacmounts); } #if 0 @@ -994,9 +975,7 @@ mac_init_label(label); MAC_PERFORM(init_pipe_label, label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacpipes, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacpipes); } void @@ -1018,9 +997,7 @@ mac_init_label(&p->p_label); MAC_PERFORM(init_proc_label, &p->p_label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacprocs, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacprocs); } static int @@ -1034,13 +1011,9 @@ if (error) { MAC_PERFORM(destroy_socket_label, label); mac_destroy_label(label); + } else { + MAC_DEBUG_COUNTER_INC(&nmacsockets); } - -#ifdef MAC_DEBUG - if (error == 0) - atomic_add_int(&nmacsockets, 1); -#endif - return (error); } @@ -1082,9 +1055,7 @@ mac_init_label(label); MAC_PERFORM(init_vnode_label, label); -#ifdef MAC_DEBUG - atomic_add_int(&nmacvnodes, 1); -#endif + MAC_DEBUG_COUNTER_INC(&nmacvnodes); } void @@ -1100,9 +1071,7 @@ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); mac_destroy_label(&bpf_d->bd_label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacbpfdescs, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } static void @@ -1111,9 +1080,7 @@ MAC_PERFORM(destroy_cred_label, label); mac_destroy_label(label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmaccreds, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmaccreds); } void @@ -1130,9 +1097,7 @@ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); mac_destroy_label(&de->de_label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacdevfsdirents, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); } #endif @@ -1142,9 +1107,7 @@ MAC_PERFORM(destroy_ifnet_label, label); mac_destroy_label(label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacifnets, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacifnets); } void @@ -1160,9 +1123,7 @@ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); mac_destroy_label(&ipq->ipq_label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacipqs, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacipqs); } void @@ -1173,9 +1134,7 @@ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); #endif /* NO_MBUF */ -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacmbufs, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacmbufs); } void @@ -1186,9 +1145,7 @@ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); mac_destroy_label(&mp->mnt_mntlabel); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacmounts, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacmounts); } #if 0 @@ -1198,9 +1155,7 @@ MAC_PERFORM(destroy_pipe_label, label); mac_destroy_label(label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacpipes, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacpipes); } void @@ -1218,9 +1173,7 @@ MAC_PERFORM(destroy_proc_label, &p->p_label); mac_destroy_label(&p->p_label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacprocs, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacprocs); } static void @@ -1229,9 +1182,7 @@ MAC_PERFORM(destroy_socket_label, label); mac_destroy_label(label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacsockets, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacsockets); } static void @@ -1256,9 +1207,7 @@ MAC_PERFORM(destroy_vnode_label, label); mac_destroy_label(label); -#ifdef MAC_DEBUG - atomic_subtract_int(&nmacvnodes, 1); -#endif + MAC_DEBUG_COUNTER_DEC(&nmacvnodes); } void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308221659.h7MGxqLs024954>