PERFORCE change 36510 for review

Chris Vance cvance at FreeBSD.org
Wed Aug 20 18:46:02 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=36510

Change 36510 by cvance at cvance_osx_laptop on 2003/08/20 11:45:39

	Try using only the dynamic sysctl interface.  This requires 
	pre-defining some structures and initializing/registering sysctls
	at framework initialization time.
	
	Add some (mostly) bogus atomic int operations.  No clue whether 
	they really are atomic on G{3,4,5} processors.  We only use them 
	for debugging counters, so it's mostly safe.
	
	Export mac_init and mac_late_init

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 (text+ko) ====

@@ -97,6 +97,16 @@
 	if (vp && !VOP_ISLOCKED(vp)) \
 		Debugger("vnode lock violation.\n");
 
+#define atomic_add_int(P, V)         (*(u_int*)(P) += (V))
+#define atomic_subtract_int(P, V)    (*(u_int*)(P) -= (V))
+
+struct sysctl_oid_list sysctl__security_children;
+SYSCTL_DECL(_security);
+SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW, 0, 
+    "Security Controls");
+
+struct sysctl_oid_list sysctl__security_mac_children;
+SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
     "TrustedBSD MAC policy controls");
 
@@ -187,6 +197,8 @@
     "copy-on-write semantics, or by removing all write access");
 
 #ifdef MAC_DEBUG
+struct sysctl_oid_list sysctl__security_mac_debug_children;
+SYSCTL_DECL(_security_mac_debug);
 SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
     "TrustedBSD MAC debug info");
 
@@ -197,16 +209,18 @@
 TUNABLE_INT("security.mac.debug_label_fallback",
     &mac_debug_label_fallback);
 
+struct sysctl_oid_list sysctl__security_mac_debug_counters_children;
+SYSCTL_DECL(_security_mac_debug_counters);
 SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
     "TrustedBSD MAC object counters");
 
-static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
-    nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes, nmacprocs;
+static unsigned int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0,
+    nmacsockets=0, nmacmounts=0, nmactemp=0, nmacvnodes=0, nmacdevfsdirents=0,
+    nmacipqs=0, nmacpipes=0, nmacprocs=0;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
+SYSCTL_INT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
     &nmaccreds, 0, "number of ucreds in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
     &nmacifnets, 0, "number of ifnets in use");
@@ -489,7 +503,7 @@
 /*
  * Initialize the MAC subsystem, including appropriate SMP locks.
  */
-static void
+void
 mac_init(void)
 {
 
@@ -498,6 +512,37 @@
 
 	mac_policy_mtx = mutex_alloc(ETAP_NO_TRACE);
 	cv_init(&mac_policy_cv, "mac_policy_cv");
+
+	sysctl_register_oid(&sysctl__security);
+	sysctl_register_oid(&sysctl__security_mac);
+	sysctl_register_oid(&sysctl__security_mac_max_slots);
+	sysctl_register_oid(&sysctl__security_mac_enforce_fs);
+	sysctl_register_oid(&sysctl__security_mac_enforce_kld);
+	sysctl_register_oid(&sysctl__security_mac_enforce_network);
+	sysctl_register_oid(&sysctl__security_mac_enforce_pipe);
+	sysctl_register_oid(&sysctl__security_mac_enforce_process);
+	sysctl_register_oid(&sysctl__security_mac_enforce_socket);
+	sysctl_register_oid(&sysctl__security_mac_enforce_system);
+	sysctl_register_oid(&sysctl__security_mac_enforce_vm);
+	sysctl_register_oid(&sysctl__security_mac_mmap_revocation);
+	sysctl_register_oid(&sysctl__security_mac_mmap_revocation_via_cow);
+#ifdef MAC_DEBUG
+	sysctl_register_oid(&sysctl__security_mac_debug);
+	sysctl_register_oid(&sysctl__security_mac_debug_label_fallback);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_mbufs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_creds);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_ifnets);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_ipqs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_bpfdescs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_sockets);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_pipes);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_procs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_mounts);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_temp);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_vnodes);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_devfsdirents);
+#endif
 }
 
 /*
@@ -505,7 +550,7 @@
  * "early", set the mac_late flag once we've processed modules either
  * linked into the kernel, or loaded before the kernel startup.
  */
-static void
+void
 mac_late_init(void)
 {
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list