diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-10-07 03:51:22 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-10-07 03:51:22 +0000 |
| commit | a8e918187ac6253c0e3174870c7e87f60bf18033 (patch) | |
| tree | 6dc0d9b439290f5471c5f032aa2f9ac5dfb780b6 | |
| parent | 4d56211ce3c54dd3384af7251029ad59eba7fcdb (diff) | |
| download | FreeBSD-src-a8e918187ac6253c0e3174870c7e87f60bf18033.zip FreeBSD-src-a8e918187ac6253c0e3174870c7e87f60bf18033.tar.gz | |
o Introduce an 'options REGRESSION'-dependant sysctl namespaces,
'regression.*'.
o Add 'regression.securelevel_nonmonotonic', conditional on 'options
REGRESSION', which allows the securelevel to be lowered for the purposes
of efficient regression testing of securelevel policy decisions.
Regression tests for securelevels will be committed shortly.
NOTE: 'options REGRESSION' should never be used on production machines, as
it permits violation of system invariants so as to improve the ability to
effectively test edge cases, and improve testing efficiency.
| -rw-r--r-- | sys/kern/kern_mib.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index b6eec4c..c59c9aa 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -40,6 +40,8 @@ * $FreeBSD$ */ +#include "opt_global.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -142,6 +144,10 @@ static char machine_arch[] = MACHINE_ARCH; SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD, machine_arch, 0, "System architecture"); +#ifdef REGRESSION +SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0, "Regression test MIB"); +#endif /* !REGRESSION */ + char hostname[MAXHOSTNAMELEN]; static int @@ -165,6 +171,13 @@ SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname, CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, sysctl_hostname, "A", "Hostname"); +#ifdef REGRESSION +int regression_securelevel_nonmonotonic=0; + +SYSCTL_INT(_regression, OID_AUTO, securelevel_nonmonotonic, CTLFLAG_RW, + ®ression_securelevel_nonmonotonic, 0, "securelevel may be lowered"); +#endif /* !REGRESSION */ + int securelevel = -1; static int @@ -190,11 +203,17 @@ sysctl_kern_securelvl(SYSCTL_HANDLER_ARGS) * global level, and local level if any. */ if (req->p->p_ucred->cr_prison != NULL) { +#ifdef REGRESSION + if (!regression_securelevel_nonmonotonic) +#endif /* !REGRESSION */ if (level < imax(securelevel, req->p->p_ucred->cr_prison->pr_securelevel)) return (EPERM); req->p->p_ucred->cr_prison->pr_securelevel = level; } else { +#ifdef REGRESSION + if (!regression_securelevel_nonmonotonic) +#endif /* !REGRESSION */ if (level < securelevel) return (EPERM); securelevel = level; |
