From c175d2226f90606c7a73b8b4e9a831b71857751d Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sun, 7 Oct 2001 03:51:22 +0000
Subject: [PATCH] o Introduce an 'options REGRESSION'-dependant sysctl
 namespaces,   'regression.*'. o Add 'regression.securelevel_nonmonotonic',
 conditional on 'options   REGRESSION', which allows the securelevel to be
 lowered for the purposes   of efficient regression testing of securelevel
 policy decisions.   Regression tests for securelevels will be committed
 shortly.

NOTE: 'options REGRESSION' should never be used on production machines, as
it permits violation of system invariants so as to improve the ability to
effectively test edge cases, and improve testing efficiency.
---
 sys/kern/kern_mib.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c
index b6eec4c22825..c59c9aa5cea1 100644
--- a/sys/kern/kern_mib.c
+++ b/sys/kern/kern_mib.c
@@ -40,6 +40,8 @@
  * $FreeBSD$
  */
 
+#include "opt_global.h"
+
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/systm.h>
@@ -142,6 +144,10 @@ static char	machine_arch[] = MACHINE_ARCH;
 SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
     machine_arch, 0, "System architecture");
 
+#ifdef REGRESSION
+SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0, "Regression test MIB");
+#endif /* !REGRESSION */
+
 char hostname[MAXHOSTNAMELEN];
 
 static int
@@ -165,6 +171,13 @@ SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname,
        CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,
        0, 0, sysctl_hostname, "A", "Hostname");
 
+#ifdef REGRESSION
+int	regression_securelevel_nonmonotonic=0;
+
+SYSCTL_INT(_regression, OID_AUTO, securelevel_nonmonotonic, CTLFLAG_RW,
+    &regression_securelevel_nonmonotonic, 0, "securelevel may be lowered");
+#endif /* !REGRESSION */
+
 int securelevel = -1;
 
 static int
@@ -190,11 +203,17 @@ sysctl_kern_securelvl(SYSCTL_HANDLER_ARGS)
 		 * global level, and local level if any.
 		 */
 		if (req->p->p_ucred->cr_prison != NULL) {
+#ifdef REGRESSION
+			if (!regression_securelevel_nonmonotonic)
+#endif /* !REGRESSION */
 			if (level < imax(securelevel,
 			    req->p->p_ucred->cr_prison->pr_securelevel))
 				return (EPERM);
 			req->p->p_ucred->cr_prison->pr_securelevel = level;
 		} else {
+#ifdef REGRESSION
+			if (!regression_securelevel_nonmonotonic)
+#endif /* !REGRESSION */
 			if (level < securelevel)
 				return (EPERM);
 			securelevel = level;