From owner-p4-projects@FreeBSD.ORG  Wed Aug 20 11:46:04 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 298B316A4C1; Wed, 20 Aug 2003 11:46:04 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E8C4D16A4BF
	for <perforce@freebsd.org>; Wed, 20 Aug 2003 11:46:03 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8060543FA3
	for <perforce@freebsd.org>; Wed, 20 Aug 2003 11:46:03 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h7KIk30U083808
	for <perforce@freebsd.org>; Wed, 20 Aug 2003 11:46:03 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h7KIk2ra083805
	for perforce@freebsd.org; Wed, 20 Aug 2003 11:46:02 -0700 (PDT)
Date: Wed, 20 Aug 2003 11:46:02 -0700 (PDT)
Message-Id: <200308201846.h7KIk2ra083805@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	cvance@nailabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 36510 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2003 18:46:04 -0000

http://perforce.freebsd.org/chv.cgi?CH=36510

Change 36510 by cvance@cvance_osx_laptop on 2003/08/20 11:45:39

	Try using only the dynamic sysctl interface.  This requires 
	pre-defining some structures and initializing/registering sysctls
	at framework initialization time.
	
	Add some (mostly) bogus atomic int operations.  No clue whether 
	they really are atomic on G{3,4,5} processors.  We only use them 
	for debugging counters, so it's mostly safe.
	
	Export mac_init and mac_late_init

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#15 (text+ko) ====

@@ -97,6 +97,16 @@
 	if (vp && !VOP_ISLOCKED(vp)) \
 		Debugger("vnode lock violation.\n");
 
+#define atomic_add_int(P, V)         (*(u_int*)(P) += (V))
+#define atomic_subtract_int(P, V)    (*(u_int*)(P) -= (V))
+
+struct sysctl_oid_list sysctl__security_children;
+SYSCTL_DECL(_security);
+SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW, 0, 
+    "Security Controls");
+
+struct sysctl_oid_list sysctl__security_mac_children;
+SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
     "TrustedBSD MAC policy controls");
 
@@ -187,6 +197,8 @@
     "copy-on-write semantics, or by removing all write access");
 
 #ifdef MAC_DEBUG
+struct sysctl_oid_list sysctl__security_mac_debug_children;
+SYSCTL_DECL(_security_mac_debug);
 SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
     "TrustedBSD MAC debug info");
 
@@ -197,16 +209,18 @@
 TUNABLE_INT("security.mac.debug_label_fallback",
     &mac_debug_label_fallback);
 
+struct sysctl_oid_list sysctl__security_mac_debug_counters_children;
+SYSCTL_DECL(_security_mac_debug_counters);
 SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
     "TrustedBSD MAC object counters");
 
-static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
-    nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes, nmacprocs;
+static unsigned int nmacmbufs=0, nmaccreds=0, nmacifnets=0, nmacbpfdescs=0,
+    nmacsockets=0, nmacmounts=0, nmactemp=0, nmacvnodes=0, nmacdevfsdirents=0,
+    nmacipqs=0, nmacpipes=0, nmacprocs=0;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
+SYSCTL_INT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
     &nmaccreds, 0, "number of ucreds in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
     &nmacifnets, 0, "number of ifnets in use");
@@ -489,7 +503,7 @@
 /*
  * Initialize the MAC subsystem, including appropriate SMP locks.
  */
-static void
+void
 mac_init(void)
 {
 
@@ -498,6 +512,37 @@
 
 	mac_policy_mtx = mutex_alloc(ETAP_NO_TRACE);
 	cv_init(&mac_policy_cv, "mac_policy_cv");
+
+	sysctl_register_oid(&sysctl__security);
+	sysctl_register_oid(&sysctl__security_mac);
+	sysctl_register_oid(&sysctl__security_mac_max_slots);
+	sysctl_register_oid(&sysctl__security_mac_enforce_fs);
+	sysctl_register_oid(&sysctl__security_mac_enforce_kld);
+	sysctl_register_oid(&sysctl__security_mac_enforce_network);
+	sysctl_register_oid(&sysctl__security_mac_enforce_pipe);
+	sysctl_register_oid(&sysctl__security_mac_enforce_process);
+	sysctl_register_oid(&sysctl__security_mac_enforce_socket);
+	sysctl_register_oid(&sysctl__security_mac_enforce_system);
+	sysctl_register_oid(&sysctl__security_mac_enforce_vm);
+	sysctl_register_oid(&sysctl__security_mac_mmap_revocation);
+	sysctl_register_oid(&sysctl__security_mac_mmap_revocation_via_cow);
+#ifdef MAC_DEBUG
+	sysctl_register_oid(&sysctl__security_mac_debug);
+	sysctl_register_oid(&sysctl__security_mac_debug_label_fallback);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_mbufs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_creds);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_ifnets);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_ipqs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_bpfdescs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_sockets);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_pipes);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_procs);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_mounts);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_temp);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_vnodes);
+	sysctl_register_oid(&sysctl__security_mac_debug_counters_devfsdirents);
+#endif
 }
 
 /*
@@ -505,7 +550,7 @@
  * "early", set the mac_late flag once we've processed modules either
  * linked into the kernel, or loaded before the kernel startup.
  */
-static void
+void
 mac_late_init(void)
 {