d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

o Introduce an 'options REGRESSION'-dependant sysctl namespaces,

Browse Source 
'regression.*'.
o Add 'regression.securelevel_nonmonotonic', conditional on 'options
  REGRESSION', which allows the securelevel to be lowered for the purposes
  of efficient regression testing of securelevel policy decisions.
  Regression tests for securelevels will be committed shortly.

NOTE: 'options REGRESSION' should never be used on production machines, as
it permits violation of system invariants so as to improve the ability to
effectively test edge cases, and improve testing efficiency.
This commit is contained in:
Robert Watson 2001-10-07 03:51:22 +00:00
parent 7ae9a22df2
commit c175d2226f
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sys/kern/kern_mib.c
View File

@ -40,6 +40,8 @@
* $FreeBSD$
*/
#include "opt_global.h"
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
@ -142,6 +144,10 @@ static char machine_arch[] = MACHINE_ARCH;
SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
machine_arch, 0, "System architecture");
#ifdef REGRESSION
SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0, "Regression test MIB");
#endif /* !REGRESSION */
char hostname[MAXHOSTNAMELEN];
static int
@ -165,6 +171,13 @@ SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname,
CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,
0, 0, sysctl_hostname, "A", "Hostname");
#ifdef REGRESSION
int regression_securelevel_nonmonotonic=0;
SYSCTL_INT(_regression, OID_AUTO, securelevel_nonmonotonic, CTLFLAG_RW,
&regression_securelevel_nonmonotonic, 0, "securelevel may be lowered");
#endif /* !REGRESSION */
int securelevel = -1;
static int
@ -190,11 +203,17 @@ sysctl_kern_securelvl(SYSCTL_HANDLER_ARGS)
* global level, and local level if any.
*/
if (req->p->p_ucred->cr_prison != NULL) {
#ifdef REGRESSION
if (!regression_securelevel_nonmonotonic)
#endif /* !REGRESSION */
if (level < imax(securelevel,
req->p->p_ucred->cr_prison->pr_securelevel))
return (EPERM);
req->p->p_ucred->cr_prison->pr_securelevel = level;
} else {
#ifdef REGRESSION
if (!regression_securelevel_nonmonotonic)
#endif /* !REGRESSION */
if (level < securelevel)
return (EPERM);
securelevel = level;