git: d195f39d1dab - main - veriexec: Add option MAC_VERIEXEC_DEBUG

From: Stephen J. Kiernan <stevek_at_FreeBSD.org>
Date: Mon, 17 Apr 2023 15:47:52 UTC
The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=d195f39d1dab1b1b1781ed194e74200cfb5fbaa9

commit d195f39d1dab1b1b1781ed194e74200cfb5fbaa9
Author:     Steve Kiernan <stevek@juniper.net>
AuthorDate: 2023-04-02 19:46:53 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-17 15:47:32 +0000

    veriexec: Add option MAC_VERIEXEC_DEBUG
    
    Obtained from:  Juniper Networks, Inc.
---
 sys/security/mac_veriexec/mac_veriexec.c          | 4 +---
 sys/security/mac_veriexec/mac_veriexec_internal.h | 2 +-
 sys/security/mac_veriexec/veriexec_metadata.c     | 5 ++++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index d61943479ad6..57f3b6c307fa 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -67,7 +67,7 @@
 #define	SLOT_SET(l, v) \
 	mac_label_set((l), mac_veriexec_slot, (v))
 
-#ifdef MAC_DEBUG
+#ifdef MAC_VERIEXEC_DEBUG
 #define	MAC_VERIEXEC_DBG(_lvl, _fmt, ...)				\
 	do {								\
 		VERIEXEC_DEBUG((_lvl), (MAC_VERIEXEC_FULLNAME ": " _fmt	\
@@ -204,10 +204,8 @@ mac_veriexec_vfs_mounted(void *arg __unused, struct mount *mp,
 		return;
 
 	SLOT_SET(mp->mnt_label, va.va_fsid);
-#ifdef MAC_DEBUG
 	MAC_VERIEXEC_DBG(3, "set fsid to %ju for mount %p",
 	    (uintmax_t)va.va_fsid, mp);
-#endif
 }
 
 /**
diff --git a/sys/security/mac_veriexec/mac_veriexec_internal.h b/sys/security/mac_veriexec/mac_veriexec_internal.h
index e69f34df892e..f618ac155a83 100644
--- a/sys/security/mac_veriexec/mac_veriexec_internal.h
+++ b/sys/security/mac_veriexec/mac_veriexec_internal.h
@@ -41,7 +41,7 @@
 
 #define VERIEXEC_FILES_FIRST	1
 
-#if defined(VERIFIED_EXEC_DEBUG) || defined(VERIFIED_EXEC_DEBUG_VERBOSE)
+#ifdef MAC_VERIEXEC_DEBUG
 # define VERIEXEC_DEBUG(n, x) if (mac_veriexec_debug > (n)) printf x
 #else
 # define VERIEXEC_DEBUG(n, x)
diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
index 9e99f51e7e65..4b9cc9b3052f 100644
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@@ -41,6 +41,9 @@
 #include <sys/mutex.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
+#ifdef MAC_VERIEXEC_DEBUG
+#include <sys/syslog.h>
+#endif
 #include <sys/vnode.h>
 
 #include "mac_veriexec.h"
@@ -548,7 +551,7 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 				break;
 
 			case EAUTH:
-#ifdef VERIFIED_EXEC_DEBUG_VERBOSE
+#ifdef MAC_VERIEXEC_DEBUG
 				{
 					char have[MAXFINGERPRINTLEN * 2 + 1];
 					char want[MAXFINGERPRINTLEN * 2 + 1];