PERFORCE change 79303 for review

Thu Jun 30 14:49:30 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=79303

Change 79303 by rwatson at rwatson_zoo on 2005/06/30 14:48:57

	Add an AVC auditing frob, selinux_auditing, similar to
	selinux_enforcing, in order to make it easier to enable and disable
	auditing during debugging.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#8 (text+ko) ====

@@ -39,6 +39,7 @@
 #include <security/sebsd/avc/av_inherit.h>
 #include <security/sebsd/avc/av_perm_to_string.h>
 
+int selinux_auditing = 1;
 int selinux_enforcing = 0;
 
 #define AVC_CACHE_SLOTS		512
@@ -503,6 +504,17 @@
 
 static inline int check_avc_ratelimit(void)
 {
+
+	/*
+	 * If auditing is not enabled, suppress all messages.
+	 */
+	if (!selinux_auditing)
+		return 0;
+
+	/*
+	 * Otherwise, rate limit messages in enforcing mode, or display all
+	 * messages in permissive mode.
+	 */
 	if (selinux_enforcing)
 		return avc_ratelimit();
 	else {
@@ -515,7 +527,14 @@
 
 static inline int check_avc_ratelimit(void)
 {
-	return 1;
+
+	/*
+	 * If auditing is not enabled, suppress all audit messages.
+	 */
+	if (selinux_auditing)
+		return 1;
+	else
+		return 0;
 }
 
 #endif

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#8 (text+ko) ====

@@ -22,6 +22,8 @@
 #include <security/sebsd/avc/av_permissions.h>
 #include <security/sebsd/ss/security.h>
 
+extern int selinux_auditing;
+
 #define CONFIG_SECURITY_SELINUX_DEVELOP
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ====

@@ -97,6 +97,40 @@
 }
 
 /*
+ * Sysctl handler for security.mac.sebsd.auditing.  Get or set whether the
+ * avc will audit failures.
+ */
+static int
+sysctl_sebsd_auditing(SYSCTL_HANDLER_ARGS)
+{
+	int error, auditing;
+
+	/* TBD: XXX Always allow the users to find out? */
+	auditing = selinux_auditing;
+	error = SYSCTL_OUT(req, &auditing, sizeof(auditing));
+	if (error)
+		return (error);
+
+	if (req->newptr != NULL) {
+		error = SYSCTL_IN(req, &auditing, sizeof(auditing));
+		if (error)
+			return (error);
+
+		/*
+		 * Treat ability to set audit status as equivilent to
+		 * changing enforcement status.
+		 */
+		error = thread_has_system (curthread, SECURITY__SETENFORCE);
+		if (error)
+			return error;
+
+		selinux_auditing = auditing;
+	}
+
+	return (0);
+}
+
+/*
  * Sysctl handler for security.mac.sebsd.enforcing
  * Get and/or set whether the avc is in enforcement mode.
  */
@@ -312,5 +346,7 @@
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
  	   CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
 	   "SEBSD access vector decision query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW,
+	   NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
 	   NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

