PERFORCE change 36680 for review
Chris Vance
cvance at FreeBSD.org
Fri Aug 22 16:59:52 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=36680
Change 36680 by cvance at cvance_osx_laptop on 2003/08/22 09:59:42
Sync with trustedbsd branch:
- replace debug operations with macro calls
- toggle enforcement flags
- minor misc. code syncs
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#16 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#16 (text+ko) ====
@@ -132,7 +132,6 @@
*/
static int ea_warn_once = 0;
-#ifndef MAC_ALWAYS_LABEL_MBUF
/*
* Flag to indicate whether or not we should allocate label storage for
* new mbufs. Since most dynamic policies we currently work with don't
@@ -144,54 +143,55 @@
* already has to deal with uninitialized labels, this probably won't
* be a problem. Note: currently no locking. Will this be a problem?
*/
+#ifndef MAC_ALWAYS_LABEL_MBUF
static int mac_labelmbufs = 0;
#endif
-static int mac_enforce_fs = 0;
+static int mac_enforce_fs = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
&mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-static int mac_enforce_kld = 0;
+static int mac_enforce_kld = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
&mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
-static int mac_enforce_network = 0;
+static int mac_enforce_network = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
&mac_enforce_network, 0, "Enforce MAC policy on network packets");
TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
-static int mac_enforce_pipe = 0;
+static int mac_enforce_pipe = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
&mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
-static int mac_enforce_process = 0;
+static int mac_enforce_process = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
-static int mac_enforce_socket = 0;
+static int mac_enforce_socket = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-static int mac_enforce_system = 0;
+static int mac_enforce_system = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
&mac_enforce_system, 0, "Enforce MAC policy on system operations");
TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
-static int mac_enforce_vm = 0;
+static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
-static int mac_mmap_revocation = 0;
+static int mac_mmap_revocation = 1;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
"relabel");
-static int mac_mmap_revocation_via_cow = 0;
+static int mac_mmap_revocation_via_cow = 1;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
"copy-on-write semantics, or by removing all write access");
@@ -214,13 +214,16 @@
SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
"TrustedBSD MAC object counters");
-static unsigned int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0,
+static u_int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0,
nmacsockets=0, nmacmounts=0, nmactemp=0, nmacvnodes=0, nmacdevfsdirents=0,
nmacipqs=0, nmacpipes=0, nmacprocs=0;
+#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
+#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
+
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
&nmacmbufs, 0, "number of mbufs in use");
-SYSCTL_INT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
&nmaccreds, 0, "number of ucreds in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
&nmacifnets, 0, "number of ifnets in use");
@@ -242,6 +245,9 @@
&nmacvnodes, 0, "number of vnodes in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
&nmacdevfsdirents, 0, "number of devfs dirents inuse");
+#else
+#define MAC_DEBUG_COUNTER_INC(x)
+#define MAC_DEBUG_COUNTER_DEC(x)
#endif
static int error_select(int error1, int error2);
@@ -564,31 +570,22 @@
static void
mac_policy_updateflags(void)
{
+#ifndef MAC_ALWAYS_LABEL_MBUF
struct mac_policy_conf *tmpc;
-#ifndef MAC_ALWAYS_LABEL_MBUF
int labelmbufs;
-#endif
mac_policy_assert_exclusive();
-#ifndef MAC_ALWAYS_LABEL_MBUF
labelmbufs = 0;
-#endif
LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
-#ifndef MAC_ALWAYS_LABEL_MBUF
if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
labelmbufs++;
-#endif
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
-#ifndef MAC_ALWAYS_LABEL_MBUF
if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
labelmbufs++;
-#endif
}
-
-#ifndef MAC_ALWAYS_LABEL_MBUF
mac_labelmbufs = (labelmbufs != 0);
#endif
}
@@ -832,9 +829,7 @@
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacbpfdescs, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
}
static void
@@ -843,9 +838,7 @@
mac_init_label(label);
MAC_PERFORM(init_cred_label, label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmaccreds, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmaccreds);
}
void
@@ -862,9 +855,7 @@
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacdevfsdirents, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
}
#endif
@@ -874,9 +865,7 @@
mac_init_label(label);
MAC_PERFORM(init_ifnet_label, label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacifnets, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacifnets);
}
void
@@ -897,11 +886,9 @@
if (error) {
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
+ } else {
+ MAC_DEBUG_COUNTER_INC(&nmacipqs);
}
-#ifdef MAC_DEBUG
- if (error == 0)
- atomic_add_int(&nmacipqs, 1);
-#endif
return (error);
}
@@ -919,11 +906,9 @@
if (error) {
MAC_PERFORM(destroy_mbuf_label, label);
mac_destroy_label(label);
+ } else {
+ MAC_DEBUG_COUNTER_INC(&nmacmbufs);
}
-#ifdef MAC_DEBUG
- if (error == 0)
- atomic_add_int(&nmacmbufs, 1);
-#endif
return (error);
}
#endif
@@ -964,13 +949,11 @@
if (error) {
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
+ } else {
+ MAC_DEBUG_COUNTER_INC(&nmacmbufs);
}
#endif /* NO_MBUF */
-#ifdef MAC_DEBUG
- if (error == 0)
- atomic_add_int(&nmacmbufs, 1);
#endif
-#endif
return (error);
}
@@ -982,9 +965,7 @@
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacmounts, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacmounts);
}
#if 0
@@ -994,9 +975,7 @@
mac_init_label(label);
MAC_PERFORM(init_pipe_label, label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacpipes, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacpipes);
}
void
@@ -1018,9 +997,7 @@
mac_init_label(&p->p_label);
MAC_PERFORM(init_proc_label, &p->p_label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacprocs, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacprocs);
}
static int
@@ -1034,13 +1011,9 @@
if (error) {
MAC_PERFORM(destroy_socket_label, label);
mac_destroy_label(label);
+ } else {
+ MAC_DEBUG_COUNTER_INC(&nmacsockets);
}
-
-#ifdef MAC_DEBUG
- if (error == 0)
- atomic_add_int(&nmacsockets, 1);
-#endif
-
return (error);
}
@@ -1082,9 +1055,7 @@
mac_init_label(label);
MAC_PERFORM(init_vnode_label, label);
-#ifdef MAC_DEBUG
- atomic_add_int(&nmacvnodes, 1);
-#endif
+ MAC_DEBUG_COUNTER_INC(&nmacvnodes);
}
void
@@ -1100,9 +1071,7 @@
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacbpfdescs, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
static void
@@ -1111,9 +1080,7 @@
MAC_PERFORM(destroy_cred_label, label);
mac_destroy_label(label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmaccreds, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmaccreds);
}
void
@@ -1130,9 +1097,7 @@
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacdevfsdirents, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
}
#endif
@@ -1142,9 +1107,7 @@
MAC_PERFORM(destroy_ifnet_label, label);
mac_destroy_label(label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacifnets, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
void
@@ -1160,9 +1123,7 @@
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacipqs, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
@@ -1173,9 +1134,7 @@
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#endif /* NO_MBUF */
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacmbufs, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
}
void
@@ -1186,9 +1145,7 @@
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacmounts, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
#if 0
@@ -1198,9 +1155,7 @@
MAC_PERFORM(destroy_pipe_label, label);
mac_destroy_label(label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacpipes, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacpipes);
}
void
@@ -1218,9 +1173,7 @@
MAC_PERFORM(destroy_proc_label, &p->p_label);
mac_destroy_label(&p->p_label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacprocs, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
static void
@@ -1229,9 +1182,7 @@
MAC_PERFORM(destroy_socket_label, label);
mac_destroy_label(label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacsockets, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
static void
@@ -1256,9 +1207,7 @@
MAC_PERFORM(destroy_vnode_label, label);
mac_destroy_label(label);
-#ifdef MAC_DEBUG
- atomic_subtract_int(&nmacvnodes, 1);
-#endif
+ MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
}
void
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list