PERFORCE change 86421 for review

Todd Miller millert at FreeBSD.org
Mon Nov 7 15:31:31 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=86421

Change 86421 by millert at millert_ibook on 2005/11/07 15:30:32

	Enable audit rate limiting on darwin

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/avc.c#8 (text+ko) ====

@@ -75,6 +75,7 @@
 #ifdef __APPLE__
 static mutex_t *avc_lock;
 static mutex_t *avc_log_lock;
+uint64_t avc_msg_cost, avc_msg_burst;
 #else
 static struct mtx avc_lock;
 static struct mtx avc_log_lock;
@@ -229,6 +230,8 @@
 #ifdef __APPLE__
 	avc_lock = mutex_alloc(ETAP_NO_TRACE);
 	avc_log_lock = mutex_alloc(ETAP_NO_TRACE);
+	nanoseconds_to_absolutetime(5000000000ULL, &avc_msg_cost);
+	avc_msg_burst = 10 * avc_msg_cost;
 #else
 	mtx_init(&avc_lock, "SEBSD AVC", NULL, MTX_DEF);
 	mtx_init(&avc_log_lock, "SEBSD message lock", NULL, MTX_DEF);
@@ -469,13 +472,17 @@
 		printk(" %s=%d", name2, ntohs(port));
 }
 
-#if 0
+#ifdef __APPLE__
+#define AVC_MSG_COST	avc_msg_cost
+#define AVC_MSG_BURST	avc_msg_burst
+#else
 /*
  * Copied from net/core/utils.c:net_ratelimit and modified for
  * use by the AVC audit facility.
  */
 #define AVC_MSG_COST	5*HZ
 #define AVC_MSG_BURST	10*5*HZ
+#endif
 
 /*
  * This enforces a rate limit: not more than one kernel message
@@ -483,12 +490,26 @@
  */
 static int avc_ratelimit(void)
 {
+#ifdef __APPLE__
+	static mutex_t *ratelimit_lock;
+	static uint64_t toks;
+	static uint64_t last_msg;
+	static int missed, rc = 0;
+	uint64_t now;
+
+	now = mach_absolute_time();
+	if (ratelimit_lock == NULL) {
+		ratelimit_lock = mutex_alloc(ETAP_NO_TRACE);
+		toks = avc_msg_burst;
+	}
+#else
 	static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED;
-	static unsigned long toks = 10*5*HZ;
+	static unsigned long toks = AVC_MSG_BURST;
 	static unsigned long last_msg;
 	static int missed, rc = 0;
 	unsigned long flags;
 	unsigned long now = jiffies;
+#endif
 
 	spin_lock_irqsave(&ratelimit_lock, flags);
 	toks += now - last_msg;
@@ -522,15 +543,6 @@
 	}
 }
 
-#else
-
-static inline int check_avc_ratelimit(void)
-{
-	return 1;
-}
-
-#endif
-
 /**
  * avc_audit - Audit the granting or denial of permissions.
  * @ssid: source security identifier
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list