Date: Sun, 9 Mar 2014 19:25:27 GMT From: Brooks Davis <brooks@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 1191638 for review Message-ID: <201403091925.s29JPRtU052424@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@1191638?ac=10 Change 1191638 by brooks@brooks_zenith on 2014/03/09 19:24:35 Split MAC assertions in to FS, PROC, SOCKET, and MISC to aid benchmarking. The split isn't terriably principled and may need adjustment as we work toward something upstreamable. Affected files ... .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_FS_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_PROC_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/amd64/conf/TESLA_ND_MAC_SOCKET#1 add .. //depot/projects/ctsrd/tesla/src/sys/conf/options#7 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 edit Differences ... ==== //depot/projects/ctsrd/tesla/src/sys/conf/options#7 (text+ko) ==== @@ -674,6 +674,10 @@ TESLA opt_global.h TESLA_CAPSICUM opt_global.h TESLA_MAC_ALL opt_global.h +TESLA_MAC_FS opt_global.h +TESLA_MAC_MISC opt_global.h +TESLA_MAC_PROC opt_global.h +TESLA_MAC_SOCKET opt_global.h TESLA_PRIV opt_global.h TESLA_PROC opt_global.h TESLA_TEST opt_global.h ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#9 (text+ko) ==== @@ -2149,7 +2149,7 @@ euid = euip->ui_uid; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) || @@ -2183,7 +2183,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setegid(ANY(ptr), egid) == 0) || @@ -2217,7 +2217,7 @@ uid_t ruid = ruip->ui_uid; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) || @@ -2253,7 +2253,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) || @@ -2284,7 +2284,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) || @@ -2315,7 +2315,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) || ==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#7 (text+ko) ==== @@ -425,7 +425,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type, proto) == 0); #endif @@ -627,7 +627,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif @@ -645,7 +645,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == 0); #endif @@ -675,7 +675,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0); #endif #endif @@ -929,7 +929,7 @@ #ifdef MAC /* Access-control check is on head rather than so. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) == 0); #endif @@ -951,7 +951,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so, nam) == 0); #endif @@ -1495,7 +1495,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0); #endif #endif @@ -2457,7 +2457,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0); #endif #endif @@ -3140,7 +3140,7 @@ * XXXRW: Should be active_cred but actually fp->f_cred is getting * passed down the stack, so the wrong cred here! */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif #endif @@ -3191,7 +3191,7 @@ struct sockbuf *sb; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); #endif #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#5 (text+ko) ==== @@ -196,7 +196,7 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) == 0)); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#5 (text+ko) ==== @@ -143,7 +143,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_MISC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#6 (text+ko) ==== @@ -172,7 +172,7 @@ } imgp->execlabel = label; -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit)); #endif @@ -183,7 +183,7 @@ mac_execve_exit(struct image_params *imgp) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr)))); #endif @@ -204,7 +204,7 @@ } else *interpvplabel = NULL; -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit)); #endif } @@ -215,7 +215,7 @@ if (interpvplabel != NULL) { /* Awkwardly, _exit() may be called even if _enter() wasn't. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_PROC) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(called( mac_execve_interpreter_enter(ANY(ptr), ANY(ptr)))); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#5 (text+ko) ==== @@ -258,7 +258,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_SOCKET) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#5 (text+ko) ==== @@ -949,7 +949,7 @@ struct label *newlabel) { -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel) == 0)); #endif ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#18 (text+ko) ==== @@ -440,7 +440,7 @@ vp = ap->a_vp; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( incallstack(ufs_readdir) || previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int), @@ -674,7 +674,7 @@ vp = ap->a_vp; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( previously(called(vn_rdwr(ANY(int), vp, ANY(ptr), ANY(int), ANY(int), ANY(int), flags(IO_NOMACCHECK), ANY(ptr), ANY(ptr), @@ -1495,7 +1495,7 @@ u_char *eae, *p; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_setacl) || previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); @@ -1590,7 +1590,7 @@ int error, ealen; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_getacl) || previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); @@ -1654,7 +1654,7 @@ int error, ealen; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace) == 0); #endif @@ -1725,7 +1725,7 @@ u_char *eae, *p; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL(incallstack(ufs_setacl) || previously(mac_vnode_check_setextattr(ANY(ptr), ap->a_vp, ap->a_attrnamespace, ap->a_name) == 0)); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#5 (text+ko) ==== @@ -364,7 +364,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); #endif @@ -622,7 +622,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) if (ap->a_aclp == NULL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr), ap->a_vp, ap->a_type) == 0); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#7 (text+ko) ==== @@ -53,7 +53,7 @@ #include <sys/sysctl.h> #include <sys/tesla-kernel.h> -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) #include <security/mac/mac_framework.h> #endif @@ -217,7 +217,7 @@ { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp, ap->a_cnp) == 0); #endif ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#8 (text+ko) ==== @@ -274,7 +274,7 @@ struct inode *ip; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL( previously(mac_kld_check_load(ANY(ptr), vp) == 0) || previously(mac_vnode_check_exec(ANY(ptr), vp, ANY(ptr)) == 0) || @@ -542,7 +542,7 @@ } if (vap->va_flags != VNOVAL) { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setflags(ANY(ptr), vp, ANY(int)) == 0); #endif @@ -611,7 +611,7 @@ } if (vap->va_size != VNOVAL) { #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_write(ANY(ptr), ANY(ptr), vp) == 0); #endif @@ -661,7 +661,7 @@ * XXXRW: TESLA can't currently instrument functions with * struct arguments. */ -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setutimes(ANY(ptr), vp, ANY(timespec), ANY(timespec)) == 0); #endif @@ -802,7 +802,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setmode(ANY(ptr), vp, mode) == 0); #endif @@ -875,7 +875,7 @@ #endif #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setowner(ANY(ptr), vp, uid, gid) == 0); #endif @@ -994,7 +994,7 @@ struct thread *td; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp, ap->a_cnp) == 0); #endif @@ -1050,7 +1050,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_link(ANY(ptr), tdvp, vp, cnp) == 0); #endif @@ -1220,7 +1220,7 @@ ino_t ino; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_from(ANY(ptr), fdvp, fvp, fcnp) == 0); TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_rename_to(ANY(ptr), tdvp, @@ -1884,7 +1884,7 @@ long blkoff; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp, vap) == 0); #endif @@ -2125,7 +2125,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_unlink(ANY(ptr), dvp, vp, cnp) == 0); #endif @@ -2276,7 +2276,7 @@ off_t off; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readdir(ANY(ptr), ap->a_vp) == 0); #endif @@ -2392,7 +2392,7 @@ doff_t isize; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_readlink(ANY(ptr), vp) == 0); #endif #endif @@ -2695,7 +2695,7 @@ int error; #ifdef MAC -#ifdef TESLA_MAC_ALL +#if defined(TESLA_MAC_FS) || defined(TESLA_MAC_ALL) TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_create(ANY(ptr), dvp, cnp, ANY(ptr)) == 0); #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403091925.s29JPRtU052424>