PERFORCE change 104227 for review
Robert Watson
rwatson at FreeBSD.org
Wed Aug 16 14:13:00 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104227
Change 104227 by rwatson at rwatson_zoo on 2006/08/16 14:12:28
sync to millert's cleanups in sedarwin: remove MAC_DEBUG -- this was
originally added when doing early labeling work as part of the MAC
Framework implementation, and has basically not been used since.
Creating a policy module to do the same thing is trivial.
Affected files ...
.. //depot/projects/trustedbsd/mac2/sys/conf/NOTES#3 edit
.. //depot/projects/trustedbsd/mac2/sys/conf/options#3 edit
.. //depot/projects/trustedbsd/mac2/sys/kern/kern_mac.c#5 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_inet.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_internal.h#5 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_label.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_net.c#4 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_pipe.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_posix_sem.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_process.c#4 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_socket.c#4 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_system.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_msg.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_sem.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_shm.c#3 edit
.. //depot/projects/trustedbsd/mac2/sys/security/mac/mac_vfs.c#5 edit
Differences ...
==== //depot/projects/trustedbsd/mac2/sys/conf/NOTES#3 (text+ko) ====
@@ -998,7 +998,6 @@
options MAC
options MAC_BIBA
options MAC_BSDEXTENDED
-options MAC_DEBUG
options MAC_IFOFF
options MAC_LOMAC
options MAC_MLS
==== //depot/projects/trustedbsd/mac2/sys/conf/options#3 (text+ko) ====
@@ -103,7 +103,6 @@
MAC_ALWAYS_LABEL_MBUF opt_mac.h
MAC_BIBA opt_dontuse.h
MAC_BSDEXTENDED opt_dontuse.h
-MAC_DEBUG opt_mac.h
MAC_IFOFF opt_dontuse.h
MAC_LOMAC opt_dontuse.h
MAC_MLS opt_dontuse.h
==== //depot/projects/trustedbsd/mac2/sys/kern/kern_mac.c#5 (text+ko) ====
@@ -137,17 +137,6 @@
int mac_labelmbufs = 0;
#endif
-#ifdef MAC_DEBUG
-SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
- "TrustedBSD MAC debug info");
-SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
- "TrustedBSD MAC object counters");
-
-static unsigned int nmactemp;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
- &nmactemp, 0, "number of temporary labels in use");
-#endif
-
static int mac_policy_register(struct mac_policy_conf *mpc);
static int mac_policy_unregister(struct mac_policy_conf *mpc);
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_inet.c#3 (text+ko) ====
@@ -70,15 +70,6 @@
#include <security/mac/mac_internal.h>
-#ifdef MAC_DEBUG
-static unsigned int nmacinpcbs, nmacipqs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD,
- &nmacinpcbs, 0, "number of inpcbs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
- &nmacipqs, 0, "number of ipqs in use");
-#endif
-
static struct label *
mac_inpcb_label_alloc(int flag)
{
@@ -94,7 +85,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacinpcbs);
return (label);
}
@@ -124,7 +114,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacipqs);
return (label);
}
@@ -144,7 +133,6 @@
MAC_PERFORM(inpcb_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacinpcbs);
}
void
@@ -161,7 +149,6 @@
MAC_PERFORM(ipq_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_internal.h#5 (text+ko) ====
@@ -46,10 +46,6 @@
#ifdef SYSCTL_DECL
SYSCTL_DECL(_security);
SYSCTL_DECL(_security_mac);
-#ifdef MAC_DEBUG
-SYSCTL_DECL(_security_mac_debug);
-SYSCTL_DECL(_security_mac_debug_counters);
-#endif
#endif /* SYSCTL_DECL */
/*
@@ -75,18 +71,6 @@
#endif
/*
- * MAC Framework object/access counter primitives, conditionally
- * compiled.
- */
-#ifdef MAC_DEBUG
-#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
-#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
-#else
-#define MAC_DEBUG_COUNTER_INC(x)
-#define MAC_DEBUG_COUNTER_DEC(x)
-#endif
-
-/*
* MAC Framework infrastructure functions.
*/
int mac_error_select(int error1, int error2);
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_label.c#3 (text+ko) ====
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_net.c#4 (text+ko) ====
@@ -77,17 +77,6 @@
&mac_enforce_network, 0, "Enforce MAC policy on network packets");
TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
-#ifdef MAC_DEBUG
-static unsigned int nmacbpfdescs, nmacifnets, nmacmbufs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
- &nmacbpfdescs, 0, "number of bpfdescs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
- &nmacifnets, 0, "number of ifnets in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
- &nmacmbufs, 0, "number of mbufs in use");
-#endif
-
/*
* XXXRW: struct ifnet locking is incomplete in the network code, so we
* use our own global mutex for struct ifnet. Non-ideal, but should help
@@ -120,7 +109,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(bpfdesc_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
return (label);
}
@@ -138,7 +126,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(ifnet_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacifnets);
return (label);
}
@@ -162,8 +149,6 @@
if (error) {
MAC_PERFORM(mbuf_destroy_label, label);
mac_destroy_label(label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacmbufs);
}
return (error);
}
@@ -203,7 +188,6 @@
MAC_PERFORM(bpfdesc_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
void
@@ -220,7 +204,6 @@
MAC_PERFORM(ifnet_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
void
@@ -240,7 +223,6 @@
MAC_PERFORM(mbuf_destroy_label, label);
mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_pipe.c#3 (text+ko) ====
@@ -61,12 +61,6 @@
&mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
-#ifdef MAC_DEBUG
-static unsigned int nmacpipes;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
- &nmacpipes, 0, "number of pipes in use");
-#endif
-
struct label *
mac_pipe_label_alloc(void)
{
@@ -74,7 +68,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(pipe_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacpipes);
return (label);
}
@@ -91,7 +84,6 @@
MAC_PERFORM(pipe_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacpipes);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_posix_sem.c#3 (text+ko) ====
@@ -54,12 +54,6 @@
&mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
-#ifdef MAC_DEBUG
-static unsigned int nmacposixsems;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_sems, CTLFLAG_RD,
- &nmacposixsems, 0, "number of posix global semaphores inuse");
-#endif
-
static struct label *
mac_posix_sem_label_alloc(void)
{
@@ -67,7 +61,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(posix_sem_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacposixsems);
return (label);
}
@@ -83,7 +76,6 @@
{
MAC_PERFORM(posix_sem_destroy_label, label);
- MAC_DEBUG_COUNTER_DEC(&nmacposixsems);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_process.c#4 (text+ko) ====
@@ -96,14 +96,6 @@
&mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
-#ifdef MAC_DEBUG
-static unsigned int nmaccreds, nmacprocs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
- &nmaccreds, 0, "number of ucreds in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
- &nmacprocs, 0, "number of procs in use");
-#endif
-
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
@@ -114,7 +106,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(cred_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmaccreds);
return (label);
}
@@ -132,7 +123,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(proc_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacprocs);
return (label);
}
@@ -149,7 +139,6 @@
MAC_PERFORM(cred_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmaccreds);
}
void
@@ -166,7 +155,6 @@
MAC_PERFORM(proc_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_socket.c#4 (text+ko) ====
@@ -81,13 +81,6 @@
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-#ifdef MAC_DEBUG
-static unsigned int nmacsockets;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
- &nmacsockets, 0, "number of sockets in use");
-#endif
-
struct label *
mac_socket_label_alloc(int flag)
{
@@ -104,7 +97,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
@@ -124,7 +116,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
@@ -150,7 +141,6 @@
MAC_PERFORM(socket_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
static void
@@ -159,7 +149,6 @@
MAC_PERFORM(socket_peer_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_system.c#3 (text+ko) ====
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_msg.c#3 (text+ko) ====
@@ -63,14 +63,6 @@
"Enforce MAC policy on System V IPC Message Queues");
TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
-#ifdef MAC_DEBUG
-static unsigned int nmacipcmsgs, nmacipcmsqs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD,
- &nmacipcmsgs, 0, "number of sysv ipc messages inuse");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD,
- &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse");
-#endif
-
static struct label *
mac_sysvmsg_label_alloc(void)
{
@@ -78,7 +70,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(sysvmsg_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcmsgs);
return (label);
}
@@ -96,7 +87,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(sysvmsq_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcmsqs);
return (label);
}
@@ -113,7 +103,6 @@
MAC_PERFORM(sysvmsg_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs);
}
void
@@ -130,7 +119,6 @@
MAC_PERFORM(sysvmsq_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_sem.c#3 (text+ko) ====
@@ -62,12 +62,6 @@
&mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
-#ifdef MAC_DEBUG
-static unsigned int nmacipcsemas;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD,
- &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse");
-#endif
-
static struct label *
mac_sysvsem_label_alloc(void)
{
@@ -75,7 +69,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(sysvsem_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcsemas);
return (label);
}
@@ -92,7 +85,6 @@
MAC_PERFORM(sysvsem_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcsemas);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_sysv_shm.c#3 (text+ko) ====
@@ -63,12 +63,6 @@
"Enforce MAC policy on System V IPC shared memory");
TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
-#ifdef MAC_DEBUG
-static unsigned int nmacipcshms;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD,
- &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse");
-#endif
-
static struct label *
mac_sysvshm_label_alloc(void)
{
@@ -76,7 +70,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(sysvshm_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcshms);
return (label);
}
@@ -93,7 +86,6 @@
MAC_PERFORM(sysvshm_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcshms);
}
void
==== //depot/projects/trustedbsd/mac2/sys/security/mac/mac_vfs.c#5 (text+ko) ====
@@ -83,23 +83,6 @@
&mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-#ifdef MAC_DEBUG
-static int mac_debug_label_fallback = 0;
-SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
- &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
- "when label is corrupted.");
-TUNABLE_INT("security.mac.debug_label_fallback",
- &mac_debug_label_fallback);
-
-static unsigned int nmacmounts, nmacvnodes, nmacdevfsdirents;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
- &nmacmounts, 0, "number of mounts in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
- &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
- &nmacdevfsdirents, 0, "number of devfs dirents inuse");
-#endif
-
static int mac_vnode_setlabel_extattr(struct ucred *cred,
struct vnode *vp, struct label *intlabel);
@@ -110,7 +93,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(devfs_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
return (label);
}
@@ -128,7 +110,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(mount_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacmounts);
return (label);
}
@@ -146,7 +127,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(vnode_init_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacvnodes);
return (label);
}
@@ -163,7 +143,6 @@
MAC_PERFORM(devfs_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
}
void
@@ -180,7 +159,6 @@
MAC_PERFORM(mount_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
void
@@ -197,7 +175,6 @@
MAC_PERFORM(vnode_destroy_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
}
void
More information about the trustedbsd-cvs
mailing list