mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-22 15:47:37 +00:00
o Introduce an 'options REGRESSION'-dependant sysctl namespaces,
'regression.*'. o Add 'regression.securelevel_nonmonotonic', conditional on 'options REGRESSION', which allows the securelevel to be lowered for the purposes of efficient regression testing of securelevel policy decisions. Regression tests for securelevels will be committed shortly. NOTE: 'options REGRESSION' should never be used on production machines, as it permits violation of system invariants so as to improve the ability to effectively test edge cases, and improve testing efficiency.
This commit is contained in:
parent
7ae9a22df2
commit
c175d2226f
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=84611
@ -40,6 +40,8 @@
|
|||||||
* $FreeBSD$
|
* $FreeBSD$
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include "opt_global.h"
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/kernel.h>
|
#include <sys/kernel.h>
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
@ -142,6 +144,10 @@ static char machine_arch[] = MACHINE_ARCH;
|
|||||||
SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
|
SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
|
||||||
machine_arch, 0, "System architecture");
|
machine_arch, 0, "System architecture");
|
||||||
|
|
||||||
|
#ifdef REGRESSION
|
||||||
|
SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0, "Regression test MIB");
|
||||||
|
#endif /* !REGRESSION */
|
||||||
|
|
||||||
char hostname[MAXHOSTNAMELEN];
|
char hostname[MAXHOSTNAMELEN];
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@ -165,6 +171,13 @@ SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname,
|
|||||||
CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,
|
CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,
|
||||||
0, 0, sysctl_hostname, "A", "Hostname");
|
0, 0, sysctl_hostname, "A", "Hostname");
|
||||||
|
|
||||||
|
#ifdef REGRESSION
|
||||||
|
int regression_securelevel_nonmonotonic=0;
|
||||||
|
|
||||||
|
SYSCTL_INT(_regression, OID_AUTO, securelevel_nonmonotonic, CTLFLAG_RW,
|
||||||
|
®ression_securelevel_nonmonotonic, 0, "securelevel may be lowered");
|
||||||
|
#endif /* !REGRESSION */
|
||||||
|
|
||||||
int securelevel = -1;
|
int securelevel = -1;
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@ -190,11 +203,17 @@ sysctl_kern_securelvl(SYSCTL_HANDLER_ARGS)
|
|||||||
* global level, and local level if any.
|
* global level, and local level if any.
|
||||||
*/
|
*/
|
||||||
if (req->p->p_ucred->cr_prison != NULL) {
|
if (req->p->p_ucred->cr_prison != NULL) {
|
||||||
|
#ifdef REGRESSION
|
||||||
|
if (!regression_securelevel_nonmonotonic)
|
||||||
|
#endif /* !REGRESSION */
|
||||||
if (level < imax(securelevel,
|
if (level < imax(securelevel,
|
||||||
req->p->p_ucred->cr_prison->pr_securelevel))
|
req->p->p_ucred->cr_prison->pr_securelevel))
|
||||||
return (EPERM);
|
return (EPERM);
|
||||||
req->p->p_ucred->cr_prison->pr_securelevel = level;
|
req->p->p_ucred->cr_prison->pr_securelevel = level;
|
||||||
} else {
|
} else {
|
||||||
|
#ifdef REGRESSION
|
||||||
|
if (!regression_securelevel_nonmonotonic)
|
||||||
|
#endif /* !REGRESSION */
|
||||||
if (level < securelevel)
|
if (level < securelevel)
|
||||||
return (EPERM);
|
return (EPERM);
|
||||||
securelevel = level;
|
securelevel = level;
|
||||||
|
Loading…
Reference in New Issue
Block a user