PERFORCE change 231384 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jul 23 21:20:29 UTC 2013
http://p4web.freebsd.org/@@231384?ac=10
Change 231384 by rwatson at rwatson_cinnamon on 2013/07/23 21:20:17
Classify various TESLA assertions and allow them to be conditionally
compiled.
Affected files ...
.. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/conf/options#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#6 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/kern/vfs_vnops.c#5 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#14 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#3 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#4 edit
.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#4 edit
Differences ...
==== //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA#4 (text+ko) ====
@@ -2,3 +2,7 @@
ident TESLA
options TESLA
+options TESLA_CAPSICUM
+options TESLA_MAC
+options TESLA_PRIV
+options TESLA_PROC
==== //depot/projects/ctsrd/tesla/src/sys/conf/options#4 (text+ko) ====
@@ -672,6 +672,10 @@
KTR_ENTRIES opt_global.h
KTR_VERBOSE opt_ktr.h
TESLA opt_global.h
+TESLA_CAPSICUM opt_global.h
+TESLA_MAC opt_global.h
+TESLA_PRIV opt_global.h
+TESLA_PROC opt_global.h
WITNESS opt_global.h
WITNESS_KDB opt_witness.h
WITNESS_NO_VNODE opt_witness.h
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#3 (text+ko) ====
@@ -74,7 +74,9 @@
struct vnode *textvp;
int error;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0);
+#endif
freepath = NULL;
PROC_LOCK(p);
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#3 (text+ko) ====
@@ -313,7 +313,9 @@
int error;
struct namemap *nm;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
if (uio == NULL || uio->uio_rw != UIO_WRITE)
return (EOPNOTSUPP);
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#3 (text+ko) ====
@@ -71,7 +71,9 @@
int ival;
#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
KASSERT(p != NULL,
("%s() called without a process", __func__));
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#3 (text+ko) ====
@@ -51,7 +51,9 @@
procfs_doprocnote(PFS_FILL_ARGS)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
sbuf_trim(sb);
sbuf_finish(sb);
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#3 (text+ko) ====
@@ -45,7 +45,9 @@
const char *pp;
int ov, osrel, i;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
if (uio == NULL)
return (EOPNOTSUPP);
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#3 (text+ko) ====
@@ -67,7 +67,9 @@
struct plimit *limp;
int i;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
/*
* Obtain a private reference to resource limits
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#3 (text+ko) ====
@@ -74,7 +74,9 @@
int pid, ppid, pgid, sid;
int i;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0);
+#endif
pid = p->p_pid;
PROC_LOCK(p);
==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#3 (text+ko) ====
@@ -48,7 +48,9 @@
{
static const char *none = "Not Available";
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0);
+#endif
if (p != NULL && p->p_sysent && p->p_sysent->sv_name)
sbuf_printf(sb, "%s", p->p_sysent->sv_name);
==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#3 (text+ko) ====
@@ -539,7 +539,10 @@
}
}
PROC_LOCK_ASSERT(p, MA_OWNED);
+
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0);
+#endif
/*
* Now that the appropriate locks are held and we have enough cpusets,
@@ -717,7 +720,9 @@
if (error)
goto out;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0);
+#endif
set = NULL;
thread_lock(td);
==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#3 (text+ko) ====
@@ -296,8 +296,10 @@
error = sysctl_handle_string(oidp, tmpname, len, req);
if (req->newptr != NULL && error == 0) {
+#ifdef TESLA_PRIV
TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td,
PRIV_SYSCTL_WRITEJAIL) == 0);
+#endif
/*
* Copy the locally set hostname to all jails that share
@@ -357,8 +359,10 @@
if (error || !req->newptr)
return (error);
+#ifdef TESLA_PRIV
TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td, PRIV_SYSCTL_WRITEJAIL) ==
0);
+#endif
/* Permit update only if the new securelevel exceeds the old. */
sx_slock(&allprison_lock);
==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#6 (text+ko) ====
@@ -2148,14 +2148,20 @@
euid = euip->ui_uid;
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), euid)
== 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), euid,
ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
newcred->cr_uid = euid;
uihold(euip);
@@ -2173,14 +2179,20 @@
change_egid(struct ucred *newcred, gid_t egid)
{
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), egid) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), ANY(int), egid)
== 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), egid,
ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
newcred->cr_groups[0] = egid;
}
@@ -2198,14 +2210,20 @@
{
uid_t ruid = ruip->ui_uid;
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ruid, ANY(int))
== 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ruid, ANY(int),
ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
newcred->cr_ruid = ruid;
@@ -2225,14 +2243,20 @@
change_rgid(struct ucred *newcred, gid_t rgid)
{
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), rgid, ANY(int))
== 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), rgid, ANY(int),
ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
newcred->cr_rgid = rgid;
}
@@ -2247,14 +2271,20 @@
change_svuid(struct ucred *newcred, uid_t svuid)
{
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ANY(int),
ANY(int)) == 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ANY(int),
ANY(int), ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
newcred->cr_svuid = svuid;
}
@@ -2269,14 +2299,20 @@
change_svgid(struct ucred *newcred, gid_t svgid)
{
+#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), ANY(int), ANY(int))
== 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), ANY(int),
ANY(int)) == 0));
+#endif
+#endif
+#ifdef TESLA_PROC
TESLA_SYSCALL(previously(called(setsugid)) ||
eventually(called(setsugid)));
+#endif
newcred->cr_svgid = svgid;
}
==== //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#3 (text+ko) ====
@@ -137,7 +137,9 @@
int policy;
int e;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0);
+#endif
e = getscheduler(ksched, td, &policy);
@@ -155,7 +157,9 @@
{
struct rtprio rtp;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0);
+#endif
pri_to_rtp(td, &rtp);
if (RTP_PRIO_IS_REALTIME(rtp.type))
@@ -187,7 +191,9 @@
int e = 0;
struct rtprio rtp;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0);
+#endif
switch(policy)
{
@@ -232,7 +238,9 @@
ksched_getscheduler(struct ksched *ksched, struct thread *td, int *policy)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0);
+#endif
return getscheduler(ksched, td, policy);
}
@@ -297,7 +305,9 @@
struct thread *td, struct timespec *timespec)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0);
+#endif
*timespec = ksched->rr_interval;
==== //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#4 (text+ko) ====
@@ -141,7 +141,9 @@
proc_read_regs(struct thread *td, struct reg *regs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_regs(td, regs));
}
@@ -150,7 +152,9 @@
proc_write_regs(struct thread *td, struct reg *regs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_regs(td, regs));
}
@@ -159,7 +163,9 @@
proc_read_dbregs(struct thread *td, struct dbreg *dbregs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_dbregs(td, dbregs));
}
@@ -168,7 +174,9 @@
proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_dbregs(td, dbregs));
}
@@ -181,7 +189,9 @@
proc_read_fpregs(struct thread *td, struct fpreg *fpregs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_fpregs(td, fpregs));
}
@@ -190,7 +200,9 @@
proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_fpregs(td, fpregs));
}
@@ -201,7 +213,9 @@
proc_read_regs32(struct thread *td, struct reg32 *regs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_regs32(td, regs32));
}
@@ -210,7 +224,9 @@
proc_write_regs32(struct thread *td, struct reg32 *regs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_regs32(td, regs32));
}
@@ -219,7 +235,9 @@
proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_dbregs32(td, dbregs32));
}
@@ -228,7 +246,9 @@
proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_dbregs32(td, dbregs32));
}
@@ -237,7 +257,9 @@
proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(fill_fpregs32(td, fpregs32));
}
@@ -246,7 +268,9 @@
proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(set_fpregs32(td, fpregs32));
}
@@ -256,7 +280,9 @@
proc_sstep(struct thread *td)
{
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0);
+#endif
PROC_ACTION(ptrace_single_step(td));
}
@@ -269,7 +295,9 @@
vm_prot_t reqprot;
int error, fault_flags, page_offset, writing;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
/*
* Assert that someone has locked this vmspace. (Should be
@@ -366,7 +394,9 @@
u_int pathlen;
int error, index;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
error = 0;
obj = NULL;
@@ -474,7 +504,9 @@
struct ptrace_vm_entry pve;
int error;
+#ifdef TESLA_PROC
TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0);
+#endif
pve.pve_entry = pve32->pve_entry;
pve.pve_pathlen = pve32->pve_pathlen;
==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#4 (text+ko) ====
@@ -425,9 +425,11 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type,
proto) == 0);
#endif
+#endif
if (proto)
prp = pffindproto(dom, proto, type);
@@ -625,9 +627,11 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) ==
0);
#endif
+#endif
CURVNET_SET(so->so_vnet);
error = (*so->so_proto->pr_usrreqs->pru_bind)(so, nam, td);
@@ -641,9 +645,11 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) ==
0);
#endif
+#endif
CURVNET_SET(so->so_vnet);
error = (*so->so_proto->pr_usrreqs->pru_bindat)(fd, so, nam, td);
@@ -669,8 +675,10 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0);
#endif
+#endif
CURVNET_SET(so->so_vnet);
error = (*so->so_proto->pr_usrreqs->pru_listen)(so, backlog, td);
@@ -921,9 +929,11 @@
#ifdef MAC
/* Access-control check is on head rather than so. */
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) ==
0);
#endif
+#endif
SOCK_LOCK(so);
KASSERT((so->so_state & SS_NOFDREF) != 0, ("soaccept: !NOFDREF"));
@@ -941,9 +951,11 @@
{
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so,
nam) == 0);
#endif
+#endif
return (soconnectat(AT_FDCWD, so, nam, td));
}
@@ -1483,7 +1495,9 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0);
+#ifdef TESLA_MAC
#endif
CURVNET_SET(so->so_vnet);
@@ -2443,8 +2457,10 @@
int error;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0);
#endif
+#endif
CURVNET_SET(so->so_vnet);
error = (so->so_proto->pr_usrreqs->pru_soreceive(so, psa, uio, mp0,
@@ -3124,8 +3140,10 @@
* XXXRW: Should be active_cred but actually fp->f_cred is getting
* passed down the stack, so the wrong cred here!
*/
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0);
#endif
+#endif
SOCKBUF_LOCK(&so->so_snd);
SOCKBUF_LOCK(&so->so_rcv);
@@ -3173,8 +3191,10 @@
struct sockbuf *sb;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0);
#endif
+#endif
switch (kn->kn_filter) {
case EVFILT_READ:
==== //depot/projects/ctsrd/tesla/src/sys/kern/vfs_vnops.c#5 (text+ko) ====
@@ -710,10 +710,12 @@
}
offset = uio->uio_offset;
+#ifdef TESLA_CAPSICUM
TESLA_WITHIN(kern_readv, previously(fget_unlocked(ANY(ptr), ANY(int),
bitmask(CAP_READ), ANY(int), &fp, ANY(ptr)) == 0));
TESLA_WITHIN(kern_preadv, previously(fget_unlocked(ANY(ptr), ANY(int),
bitmask(CAP_PREAD), ANY(int), &fp, ANY(ptr)) == 0));
+#endif
#ifdef MAC
error = mac_vnode_check_read(active_cred, fp->f_cred, vp);
if (error == 0)
@@ -819,10 +821,12 @@
}
offset = uio->uio_offset;
+#ifdef TESLA_CAPSICUM
TESLA_WITHIN(kern_writev, previously(fget_unlocked(ANY(ptr), ANY(int),
bitmask(CAP_WRITE), ANY(int), &fp, ANY(ptr)) == 0));
TESLA_WITHIN(kern_pwritev, previously(fget_unlocked(ANY(ptr), ANY(int),
bitmask(CAP_PWRITE), ANY(int), &fp, ANY(ptr)) == 0));
+#endif
#ifdef MAC
error = mac_vnode_check_write(active_cred, fp->f_cred, vp);
if (error == 0)
@@ -1211,8 +1215,10 @@
if (error)
goto out;
#endif
+#ifdef TESLA_CAPSICUM
TESLA_WITHIN(kern_ftruncate, previously(fget_unlocked(ANY(ptr),
ANY(int), bitmask(CAP_FTRUNCATE), ANY(int), &fp, ANY(ptr)) == 0));
+#endif
error = vn_writechk(vp);
if (error == 0) {
VATTR_NULL(&vattr);
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#3 (text+ko) ====
@@ -196,8 +196,10 @@
mac_cred_relabel(struct ucred *cred, struct label *newlabel)
{
+#ifdef TESLA_MAC
TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) ==
0));
+#endif
MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
}
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#3 (text+ko) ====
@@ -143,8 +143,10 @@
struct label *newlabel)
{
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel)
== 0);
+#endif
MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label,
newlabel);
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#4 (text+ko) ====
@@ -172,7 +172,9 @@
}
imgp->execlabel = label;
+#ifdef TESLA_MAC
TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit));
+#endif
return (0);
}
@@ -181,7 +183,9 @@
mac_execve_exit(struct image_params *imgp)
{
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr))));
+#endif
if (imgp->execlabel != NULL) {
mac_cred_label_free(imgp->execlabel);
@@ -200,7 +204,9 @@
} else
*interpvplabel = NULL;
+#ifdef TESLA_MAC
TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit));
+#endif
}
void
@@ -209,8 +215,10 @@
if (interpvplabel != NULL) {
/* Awkwardly, _exit() may be called even if _enter() wasn't. */
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(called(
mac_execve_interpreter_enter(ANY(ptr), ANY(ptr))));
+#endif
mac_vnode_label_free(interpvplabel);
}
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#3 (text+ko) ====
@@ -258,8 +258,10 @@
struct label *newlabel)
{
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel)
== 0);
+#endif
SOCK_LOCK_ASSERT(so);
==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#3 (text+ko) ====
@@ -949,8 +949,10 @@
struct label *newlabel)
{
+#ifdef TESLA_MAC
TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel)
== 0));
+#endif
MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
}
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#14 (text+ko) ====
@@ -440,11 +440,13 @@
vp = ap->a_vp;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(incallstack(ufs_readdir) ||
previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0));
TESLA_PAGE_FAULT(incallstack(ufs_readdir) ||
previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0));
#endif
+#endif
uio = ap->a_uio;
ioflag = ap->a_ioflag;
@@ -668,11 +670,13 @@
vp = ap->a_vp;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(previously(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp)
== 0));
- TESLA_PAGE_FAULT(previously(mac_vnode_check_WRITE(ANY(ptr), ANY(ptr),
+ TESLA_PAGE_FAULT(previously(mac_vnode_check_write(ANY(ptr), ANY(ptr),
vp) == 0));
#endif
+#endif
uio = ap->a_uio;
ioflag = ap->a_ioflag;
@@ -1484,10 +1488,12 @@
u_char *eae, *p;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(incallstack(ufs_setacl) ||
previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0));
#endif
+#endif
ip = VTOI(ap->a_vp);
fs = ip->i_fs;
@@ -1577,10 +1583,12 @@
int error, ealen;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(incallstack(ufs_getacl) ||
previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0));
#endif
+#endif
ip = VTOI(ap->a_vp);
fs = ip->i_fs;
@@ -1639,9 +1647,11 @@
int error, ealen;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr),
ap->a_vp, ap->a_attrnamespace) == 0);
#endif
+#endif
ip = VTOI(ap->a_vp);
fs = ip->i_fs;
@@ -1708,10 +1718,12 @@
u_char *eae, *p;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(incallstack(ufs_setacl) ||
mac_vnode_check_setextattr(ANY(ptr), ap->a_vp,
ap->a_attrnamespace, ap->a_name) == 0);
#endif
+#endif
ip = VTOI(ap->a_vp);
fs = ip->i_fs;
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#3 (text+ko) ====
@@ -364,9 +364,11 @@
{
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp,
ap->a_type) == 0);
#endif
+#endif
if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
return (EOPNOTSUPP);
@@ -620,6 +622,7 @@
{
#ifdef MAC
+#ifdef TESLA_MAC
if (ap->a_aclp == NULL)
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr),
ap->a_vp, ap->a_type) == 0);
@@ -627,6 +630,7 @@
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setacl(ANY(ptr),
ap->a_vp, ap->a_type, ap->a_aclp) == 0);
#endif
+#endif
if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
return (EOPNOTSUPP);
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#4 (text+ko) ====
@@ -213,9 +213,11 @@
{
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp,
ap->a_cnp) == 0);
#endif
+#endif
return (ufs_lookup_ino(ap->a_dvp, ap->a_vpp, ap->a_cnp, NULL));
}
==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#4 (text+ko) ====
@@ -274,9 +274,11 @@
struct inode *ip;
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL(incallstack(kern_execve) ||
mac_vnode_check_open(ANY(ptr), vp, ANY(int)) == 0);
#endif
+#endif
if (vp->v_type == VCHR || vp->v_type == VBLK)
return (EOPNOTSUPP);
@@ -538,9 +540,11 @@
}
if (vap->va_flags != VNOVAL) {
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setflags(ANY(ptr),
vp, ANY(int)) == 0);
#endif
+#endif
if ((vap->va_flags & ~(UF_NODUMP | UF_IMMUTABLE | UF_APPEND |
UF_OPAQUE | UF_NOUNLINK | SF_ARCHIVED | SF_IMMUTABLE |
SF_APPEND | SF_NOUNLINK | SF_SNAPSHOT)) != 0)
@@ -605,9 +609,11 @@
}
if (vap->va_size != VNOVAL) {
#ifdef MAC
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_write(ANY(ptr),
ANY(ptr), vp) == 0);
#endif
+#endif
/*
* XXX most of the following special cases should be in
@@ -653,10 +659,12 @@
* XXXRW: TESLA can't currently instrument functions with
* struct arguments.
*/
+#ifdef TESLA_MAC
TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setutimes(ANY(ptr),
vp, ANY(timespec), ANY(timespec)) == 0);
#endif
#endif
+#endif
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
@@ -792,9 +800,11 @@
int error;
#ifdef MAC
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list