PERFORCE change 219768 for review
Robert Watson
rwatson at FreeBSD.org
Tue Nov 13 16:49:37 UTC 2012
http://p4web.freebsd.org/@@219768?ac=10
Change 219768 by rwatson at rwatson_zenith_cl_cam_ac_uk on 2012/11/13 16:48:52
Export a counter of CHERI system call violations (i.e., blocked
attempts to directly invoke system calls from within a sandbox).
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#10 edit
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#10 (text+ko) ====
@@ -33,9 +33,11 @@
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/proc.h>
+#include <sys/sysctl.h>
#include <ddb/ddb.h>
+#include <machine/atomic.h>
#include <machine/cheri.h>
#include <machine/pcb.h>
@@ -54,6 +56,14 @@
* call, and reload them afterwards.
*/
+static SYSCTL_NODE(_security, OID_AUTO, cheri, CTLFLAG_RD, 0,
+ "CHERI parameters and statistics");
+
+/* XXXRW: Should possibly be u_long. */
+static u_int security_cheri_syscall_violations;
+SYSCTL_UINT(_security_cheri, OID_AUTO, syscall_violations, CTLFLAG_RD,
+ &security_cheri_syscall_violations, 0, "Number of system calls blocked");
+
/*
* Given an existing more privileged capability (fromcrn), build a new
* capability in tocrn with the contents of the passed flattened
@@ -346,8 +356,10 @@
intr_enable();
if (c.c_perms != CHERI_CAP_USER_PERMS ||
c.c_base != CHERI_CAP_USER_BASE ||
- c.c_length != CHERI_CAP_USER_LENGTH)
+ c.c_length != CHERI_CAP_USER_LENGTH) {
+ atomic_add_int(&security_cheri_syscall_violations, 1);
return (ECAPMODE);
+ }
return (0);
}
More information about the p4-projects
mailing list