PERFORCE change 1191638 for review
Brooks Davis
brooks at FreeBSD.org
Sun Mar 9 19:25:28 UTC 2014
http://p4web.freebsd.org/@@1191638?ac=10
Change 1191638 by brooks at brooks_zenith on 2014/03/09 19:24:35
Split MAC assertions in to FS, PROC, SOCKET, and MISC to aid
benchmarking. The split isn't terriably principled and may need
adjustment as we work toward something upstreamable.
Affected files ...
.. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_FS_SOCKET#1 add
.. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_PROC_SOCKET#1 add
.. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_SOCKET#1 add
.. //depot/projects/ctsrd/tesla/src/sys/conf/options#7 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 edit
Differences ...
==== //depot/projects/ctsrd/tesla/src/sys/conf/options#7 (text+ko) ====
@@ -674,6 +674,10 @@
TESLA opt_global.h
TESLA_CAPSICUM opt_global.h
TESLA_MAC_ALL opt_global.h
+TESLA_MAC_FS opt_global.h
+TESLA_MAC_MISC opt_global.h
+TESLA_MAC_PROC opt_global.h
+TESLA_MAC_SOCKET opt_global.h
TESLA_PRIV opt_global.h
TESLA_PROC opt_global.h
TESLA_TEST opt_global.h
==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 (text+ko) ====
@@ -2149,7 +2149,7 @@
euid = euip->ui_uid;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) ||
@@ -2183,7 +2183,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
previously(mac_cred_check_setegid(ANY(ptr), egid) == 0) ||
@@ -2217,7 +2217,7 @@
uid_t ruid = ruip->ui_uid;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) ||
@@ -2253,7 +2253,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) ||
@@ -2284,7 +2284,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) ||
@@ -2315,7 +2315,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
/* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) ||
==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 (text+ko) ====
@@ -425,7 +425,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type,
proto) == 0);
#endif
@@ -627,7 +627,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) ==
0);
#endif
@@ -645,7 +645,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) ==
0);
#endif
@@ -675,7 +675,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0);
#endif
#endif
@@ -929,7 +929,7 @@
#ifdef MAC
/* Access-control check is on head rather than so. */
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) ==
0);
#endif
@@ -951,7 +951,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so,
nam) == 0);
#endif
@@ -1495,7 +1495,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0);
#endif
#endif
@@ -2457,7 +2457,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0);
#endif
#endif
@@ -3140,7 +3140,7 @@
* XXXRW: Should be active_cred but actually fp->f_cred is getting
* passed down the stack, so the wrong cred here!
*/
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0);
#endif
#endif
@@ -3191,7 +3191,7 @@
struct sockbuf *sb;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0);
#endif
#endif
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 (text+ko) ====
@@ -196,7 +196,7 @@
mac_cred_relabel(struct ucred *cred, struct label *newlabel)
{
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) ==
0));
#endif
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 (text+ko) ====
@@ -143,7 +143,7 @@
struct label *newlabel)
{
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel)
== 0);
#endif
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 (text+ko) ====
@@ -172,7 +172,7 @@
}
imgp->execlabel = label;
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit));
#endif
@@ -183,7 +183,7 @@
mac_execve_exit(struct image_params *imgp)
{
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr))));
#endif
@@ -204,7 +204,7 @@
} else
*interpvplabel = NULL;
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit));
#endif
}
@@ -215,7 +215,7 @@
if (interpvplabel != NULL) {
/* Awkwardly, _exit() may be called even if _enter() wasn't. */
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(called(
mac_execve_interpreter_enter(ANY(ptr), ANY(ptr))));
#endif
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 (text+ko) ====
@@ -258,7 +258,7 @@
struct label *newlabel)
{
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel)
== 0);
#endif
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 (text+ko) ====
@@ -949,7 +949,7 @@
struct label *newlabel)
{
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel)
== 0));
#endif
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 (text+ko) ====
@@ -440,7 +440,7 @@
vp = ap->a_vp;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(
incallstack(ufs_readdir) ||
previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int),
@@ -674,7 +674,7 @@
vp = ap->a_vp;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(
previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int),
ANY(int), ANY(int), flags(IO_NOMACCHECK), ANY(ptr), ANY(ptr),
@@ -1495,7 +1495,7 @@
u_char *eae, *p;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(incallstack(ufs_setacl) ||
previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0));
@@ -1590,7 +1590,7 @@
int error, ealen;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(incallstack(ufs_getacl) ||
previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0));
@@ -1654,7 +1654,7 @@
int error, ealen;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr),
ap->a_vp, ap->a_attrnamespace) == 0);
#endif
@@ -1725,7 +1725,7 @@
u_char *eae, *p;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(incallstack(ufs_setacl) ||
previously(mac_vnode_check_setextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0));
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 (text+ko) ====
@@ -364,7 +364,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp,
ap->a_type) == 0);
#endif
@@ -622,7 +622,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
if (ap->a_aclp == NULL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr),
ap->a_vp, ap->a_type) == 0);
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 (text+ko) ====
@@ -53,7 +53,7 @@
#include <sys/sysctl.h>
#include <sys/tesla-kernel.h>
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
#include <security/mac/mac_framework.h>
#endif
@@ -217,7 +217,7 @@
{
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp,
ap->a_cnp) == 0);
#endif
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 (text+ko) ====
@@ -274,7 +274,7 @@
struct inode *ip;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL(
previously(mac_kld_check_load(ANY(ptr), vp) == 0) ||
previously(mac_vnode_check_exec(ANY(ptr), vp, ANY(ptr)) == 0) ||
@@ -542,7 +542,7 @@
}
if (vap->va_flags != VNOVAL) {
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setflags(ANY(ptr),
vp, ANY(int)) == 0);
#endif
@@ -611,7 +611,7 @@
}
if (vap->va_size != VNOVAL) {
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_write(ANY(ptr),
ANY(ptr), vp) == 0);
#endif
@@ -661,7 +661,7 @@
* XXXRW: TESLA can't currently instrument functions with
* struct arguments.
*/
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setutimes(ANY(ptr),
vp, ANY(timespec), ANY(timespec)) == 0);
#endif
@@ -802,7 +802,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setmode(ANY(ptr), vp, mode)
== 0);
#endif
@@ -875,7 +875,7 @@
#endif
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setowner(ANY(ptr), vp, uid,
gid) == 0);
#endif
@@ -994,7 +994,7 @@
struct thread *td;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp,
ap->a_cnp) == 0);
#endif
@@ -1050,7 +1050,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_link(ANY(ptr), tdvp, vp,
cnp) == 0);
#endif
@@ -1220,7 +1220,7 @@
ino_t ino;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_from(ANY(ptr), fdvp,
fvp, fcnp) == 0);
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_to(ANY(ptr), tdvp,
@@ -1884,7 +1884,7 @@
long blkoff;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp,
vap) == 0);
#endif
@@ -2125,7 +2125,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp,
cnp) == 0);
#endif
@@ -2276,7 +2276,7 @@
off_t off;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readdir(ANY(ptr), ap->a_vp)
== 0);
#endif
@@ -2392,7 +2392,7 @@
doff_t isize;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readlink(ANY(ptr), vp) == 0);
#endif
#endif
@@ -2695,7 +2695,7 @@
int error;
#ifdef MAC
-#ifdef TESLA_MAC_ALL
+#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp,
ANY(ptr)) == 0);
#endif
More information about the p4-projects
mailing list