[PATCH][RSBAC]: Introduce rsbac_pr_debug
Arnaldo Carvalho de Melo
acme at mandriva.com
Sun Feb 12 01:32:22 CET 2006
Hi,
Please take a look if the (big) patch available at:
http://oops.ghostprotocols.net:81/acme/rsbac_pr_debug.patch
http://master.kernel.org/~acme/rsbac_pr_debug.patch
done in the rsbac1/linux-kernel/2.6/branches/linux-rsbac branch,
SVN revision 633, is acceptable, tested it with:
# RSBAC with all debug options enabled
qemu -nographic -hda snap.img -m 64 -kernel
$CURRENT_TREE/../OUTPUT/qemu/arch/i386/boot/bzImage -append "root=03:00
ide2=noprobe ide3=noprobe ide4=noprobe ide5=noprobe console=ttyS0 clock=pit
rsbac_debug_ds_net rsbac_debug_aef_net rsbac_debug_adf_net
rsbac_debug_ds_mac
rsbac_debug_aef_mac rsbac_debug_adf_mac rsbac_debug_ds_pm rsbac_debug_aef_pm
rsbac_debug_adf_pm rsbac_debug_adf_daz rsbac_debug_ds_rc rsbac_debug_aef_rc
rsbac_debug_adf_rc rsbac_debug_ds_auth rsbac_debug_aef_auth
rsbac_debug_adf_auth rsbac_debug_reg rsbac_debug_ds_acl rsbac_debug_aef_acl
rsbac_debug_adf_acl rsbac_debug_aef_jail rsbac_debug_adf_jail
rsbac_debug_adf_pax rsbac_debug_ds_um rsbac_debug_aef_um rsbac_debug_adf_um
rsbac_debug_ds_repl rsbac_debug_aef_repl rsbac_debug_adf_repl
rsbac_debug_auto
rsbac_debug_lists rsbac_debug_stack rsbac_debug_ds rsbac_debug_write
rsbac_debug_aef rsbac_debug_no_write"
Which is a bit extreme as its more than the kernel can grok, but
the ones that were __setup'ed seems enough for some testing of the patch :-)
Best Regards,
- Arnaldo
[acme at newtoy linux-rsbac]$ grep RSBAC ../OUTPUT/qemu/.config
# Rule Set Based Access Control (RSBAC)
CONFIG_RSBAC=y
# General RSBAC options
CONFIG_RSBAC_INIT_THREAD=y
CONFIG_RSBAC_MAX_INIT_TIME=60
CONFIG_RSBAC_PROC=y
CONFIG_RSBAC_INIT_CHECK=y
CONFIG_RSBAC_NO_WRITE=y
CONFIG_RSBAC_LIST_MAX_HASHES=32
CONFIG_RSBAC_LIST_TRANS=y
CONFIG_RSBAC_LIST_TRANS_MAX_TTL=3600
CONFIG_RSBAC_LIST_TRANS_RANDOM_TA=y
# CONFIG_RSBAC_LIST_REPL is not set
CONFIG_RSBAC_DEBUG=y
CONFIG_RSBAC_DEV_USER_BACKUP=y
CONFIG_RSBAC_SECOFF_UID=400
CONFIG_RSBAC_INIT_DELAY=y
CONFIG_RSBAC_GEN_NR_P_LISTS=4
CONFIG_RSBAC_UM=y
CONFIG_RSBAC_UM_DIGEST=y
CONFIG_RSBAC_UM_USER_MIN=2000
CONFIG_RSBAC_UM_GROUP_MIN=2000
CONFIG_RSBAC_UM_EXCL=y
CONFIG_RSBAC_UM_MIN_PASS_LEN=6
CONFIG_RSBAC_UM_NON_ALPHA=y
CONFIG_RSBAC_UM_PWHISTORY=y
CONFIG_RSBAC_UM_PWHISTORY_MAX=8
# RSBAC networking options
CONFIG_RSBAC_NET=y
CONFIG_RSBAC_NET_DEV=y
CONFIG_RSBAC_NET_DEV_VIRT=y
CONFIG_RSBAC_IND_NETDEV_LOG=y
CONFIG_RSBAC_NET_OBJ=y
CONFIG_RSBAC_NET_OBJ_RW=y
CONFIG_RSBAC_IND_NETOBJ_LOG=y
# CONFIG_RSBAC_MAINT is not set
CONFIG_RSBAC_REG=y
CONFIG_RSBAC_REG_SAMPLES=y
CONFIG_RSBAC_AUTH=y
CONFIG_RSBAC_AUTH_AUTH_PROT=y
# CONFIG_RSBAC_AUTH_OTHER_PROT is not set
CONFIG_RSBAC_AUTH_UM_PROT=y
CONFIG_RSBAC_AUTH_DAC_OWNER=y
CONFIG_RSBAC_AUTH_ALLOW_SAME=y
CONFIG_RSBAC_AUTH_GROUP=y
CONFIG_RSBAC_AUTH_DAC_GROUP=y
CONFIG_RSBAC_AUTH_LEARN=y
CONFIG_RSBAC_RC=y
CONFIG_RSBAC_RC_AUTH_PROT=y
CONFIG_RSBAC_RC_UM_PROT=y
CONFIG_RSBAC_RC_GEN_PROT=y
CONFIG_RSBAC_RC_BACKUP=y
CONFIG_RSBAC_RC_NET_DEV_PROT=y
CONFIG_RSBAC_RC_NET_OBJ_PROT=y
CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS=y
CONFIG_RSBAC_RC_NR_P_LISTS=8
CONFIG_RSBAC_RC_NR_ROLE_LISTS=4
CONFIG_RSBAC_RC_NR_TYPE_LISTS=4
CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE=999999
CONFIG_RSBAC_ACL=y
CONFIG_RSBAC_ACL_SUPER_FILTER=y
CONFIG_RSBAC_ACL_AUTH_PROT=y
CONFIG_RSBAC_ACL_UM_PROT=y
CONFIG_RSBAC_ACL_GEN_PROT=y
CONFIG_RSBAC_ACL_BACKUP=y
CONFIG_RSBAC_ACL_LEARN=y
CONFIG_RSBAC_ACL_NET_DEV_PROT=y
CONFIG_RSBAC_ACL_NET_OBJ_PROT=y
CONFIG_RSBAC_MAC=y
CONFIG_RSBAC_MAC_DEF_INHERIT=y
CONFIG_RSBAC_MAC_SMART_INHERIT=y
CONFIG_RSBAC_MAC_AUTH_PROT=y
CONFIG_RSBAC_MAC_UM_PROT=y
CONFIG_RSBAC_MAC_GEN_PROT=y
CONFIG_RSBAC_MAC_LIGHT=y
CONFIG_RSBAC_MAC_TRUSTED_READ=y
CONFIG_RSBAC_MAC_RESET_CURR=y
CONFIG_RSBAC_MAC_LOG_LEVEL_CHANGE=y
CONFIG_RSBAC_MAC_NET_DEV_PROT=y
CONFIG_RSBAC_MAC_NET_OBJ_PROT=y
CONFIG_RSBAC_MAC_NR_P_LISTS=4
CONFIG_RSBAC_PAX=y
CONFIG_RSBAC_PAX_DEFAULT=y
CONFIG_RSBAC_PAX_PAGEEXEC=y
CONFIG_RSBAC_PAX_EMUTRAMP=y
CONFIG_RSBAC_PAX_MPROTECT=y
CONFIG_RSBAC_PAX_RANDMMAP=y
CONFIG_RSBAC_PAX_RANDEXEC=y
CONFIG_RSBAC_PAX_SEGMEXEC=y
CONFIG_RSBAC_DAZ=y
CONFIG_RSBAC_DAZ_CACHE=y
CONFIG_RSBAC_DAZ_TTL=86400
CONFIG_RSBAC_DAZ_PERSIST=y
CONFIG_RSBAC_DAZ_DEV_MAJOR=250
CONFIG_RSBAC_CAP=y
CONFIG_RSBAC_CAP_PROC_HIDE=y
CONFIG_RSBAC_CAP_AUTH_PROT=y
CONFIG_RSBAC_CAP_LOG_MISSING=y
CONFIG_RSBAC_JAIL=y
CONFIG_RSBAC_JAIL_NET_ADJUST=y
CONFIG_RSBAC_JAIL_NET_DEV_PROT=y
CONFIG_RSBAC_JAIL_NR_P_LISTS=4
CONFIG_RSBAC_JAIL_LOG_MISSING=y
CONFIG_RSBAC_RES=y
CONFIG_RSBAC_FF=y
CONFIG_RSBAC_FF_AUTH_PROT=y
CONFIG_RSBAC_FF_UM_PROT=y
CONFIG_RSBAC_FF_GEN_PROT=y
CONFIG_RSBAC_PM=y
CONFIG_RSBAC_PM_AUTH_PROT=y
CONFIG_RSBAC_PM_GEN_PROT=y
CONFIG_RSBAC_SOFTMODE=y
# CONFIG_RSBAC_SOFTMODE_SYSRQ is not set
CONFIG_RSBAC_SOFTMODE_IND=y
CONFIG_RSBAC_SWITCH=y
# CONFIG_RSBAC_SWITCH_ON is not set
CONFIG_RSBAC_SWITCH_REG=y
# CONFIG_RSBAC_SWITCH_AUTH is not set
# CONFIG_RSBAC_SWITCH_RC is not set
# CONFIG_RSBAC_SWITCH_ACL is not set
# CONFIG_RSBAC_SWITCH_MAC is not set
# CONFIG_RSBAC_SWITCH_PAX is not set
# CONFIG_RSBAC_SWITCH_DAZ is not set
# CONFIG_RSBAC_SWITCH_CAP is not set
# CONFIG_RSBAC_SWITCH_JAIL is not set
# CONFIG_RSBAC_SWITCH_RES is not set
# CONFIG_RSBAC_SWITCH_FF is not set
# CONFIG_RSBAC_SWITCH_PM is not set
CONFIG_RSBAC_IND_LOG=y
CONFIG_RSBAC_IND_USER_LOG=y
CONFIG_RSBAC_IND_PROG_LOG=y
CONFIG_RSBAC_LOG_PROGRAM_FILE=y
CONFIG_RSBAC_LOG_FULL_PATH=y
CONFIG_RSBAC_MAX_PATH_LEN=512
# CONFIG_RSBAC_LOG_PSEUDO is not set
CONFIG_RSBAC_SYSLOG_RATE=y
CONFIG_RSBAC_SYSLOG_RATE_DEF=1000
CONFIG_RSBAC_RMSG=y
CONFIG_RSBAC_RMSG_NOSYSLOG=y
# CONFIG_RSBAC_LOG_REMOTE is not set
# CONFIG_RSBAC_SYM_REDIR is not set
# CONFIG_RSBAC_ALLOW_DAC_DISABLE is not set
# Other RSBAC options
# CONFIG_RSBAC_SECDEL is not set
CONFIG_RSBAC_RW=y
CONFIG_RSBAC_IPC_SEM=y
# CONFIG_RSBAC_DAC_OWNER is not set
# CONFIG_RSBAC_DAC_GROUP is not set
# CONFIG_RSBAC_PROC_HIDE is not set
# CONFIG_RSBAC_FSOBJ_HIDE is not set
CONFIG_RSBAC_FREEZE=y
# CONFIG_RSBAC_FREEZE_UM is not set
# CONFIG_RSBAC_SYSLOG is not set
CONFIG_RSBAC_IOCTL=y
# CONFIG_RSBAC_USER_CHOWN is not set
# CONFIG_RSBAC_DAT_VISIBLE is not set
# CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT is not set
# CONFIG_RSBAC_USER_MOD_IOPERM is not set
# CONFIG_RSBAC_FAKE_ROOT_UID is not set
CONFIG_RSBAC_XSTATS=y
arch/alpha/kernel/ptrace.c | 8
arch/i386/kernel/ioport.c | 8
arch/ia64/kernel/ptrace.c | 8
arch/m32r/kernel/ptrace.c | 8
arch/powerpc/kernel/sys_ppc32.c | 5
arch/s390/kernel/ptrace.c | 8
arch/sparc/kernel/ptrace.c | 8
arch/sparc64/kernel/ptrace.c | 10
arch/x86_64/kernel/ioport.c | 8
block/ioctl.c | 5
drivers/block/loop.c | 20
drivers/char/mem.c | 5
drivers/char/tty_io.c | 5
drivers/char/tty_ioctl.c | 5
drivers/ide/ide.c | 5
fs/exec.c | 34
fs/ext2/ioctl.c | 4
fs/ext3/ioctl.c | 4
fs/fcntl.c | 5
fs/ioctl.c | 5
fs/locks.c | 25
fs/namei.c | 82 -
fs/namespace.c | 106 --
fs/open.c | 64 -
fs/pipe.c | 80 -
fs/proc/array.c | 15
fs/proc/base.c | 85 -
fs/proc/kcore.c | 5
fs/proc/task_mmu.c | 5
fs/proc/task_nommu.c | 5
fs/quota.c | 10
fs/read_write.c | 25
fs/readdir.c | 20
fs/stat.c | 9
fs/sysfs/file.c | 10
fs/xattr.c | 20
include/rsbac/aci_data_structures.h | 12
include/rsbac/debug.h | 9
ipc/msg.c | 33
ipc/sem.c | 35
ipc/shm.c | 37
kernel/capability.c | 10
kernel/exit.c | 5
kernel/fork.c | 10
kernel/kallsyms.c | 5
kernel/kexec.c | 5
kernel/module.c | 8
kernel/printk.c | 5
kernel/ptrace.c | 8
kernel/sched.c | 14
kernel/signal.c | 5
kernel/sys.c | 116 --
kernel/sysctl.c | 5
kernel/time.c | 13
mm/mlock.c | 10
mm/mmap.c | 12
mm/mprotect.c | 15
mm/swapfile.c | 21
net/bridge/br_if.c | 10
net/core/dev.c | 20
net/ipv4/arp.c | 5
net/ipv4/devinet.c | 15
net/ipv4/fib_frontend.c | 15
net/ipv4/fib_rules.c | 15
net/ipv4/inet_diag.c | 5
net/ipv4/ipmr.c | 5
net/ipv4/netfilter/ip_tables.c | 10
net/ipv4/route.c | 5
net/sched/cls_api.c | 10
net/sched/sch_api.c | 25
net/socket.c | 117 --
net/unix/af_unix.c | 21
rsbac/adf/acl/acl_syscalls.c | 17
rsbac/adf/adf_main.c | 190 +---
rsbac/adf/jail/jail_main.c | 30
rsbac/adf/mac/mac_main.c | 206 +---
rsbac/adf/pax/pax_main.c | 16
rsbac/adf/pm/pm_main.c | 110 --
rsbac/adf/pm/pm_syscalls.c | 223 +----
rsbac/adf/rc/rc_main.c | 142 ---
rsbac/adf/rc/rc_syscalls.c | 1
rsbac/adf/reg/reg_main.c | 59 -
rsbac/data_structures/aci_data_structures.c | 1007 ++++-------------------
rsbac/data_structures/acl_data_structures.c | 1163
+++++----------------------
rsbac/data_structures/auth_data_structures.c | 59 -
rsbac/data_structures/gen_lists.c | 706 +++-------------
rsbac/data_structures/mac_data_structures.c | 66 -
rsbac/data_structures/pm_data_structures.c | 213 ----
rsbac/data_structures/rc_data_structures.c | 87 --
rsbac/data_structures/um_data_structures.c | 134 ---
rsbac/help/cap_getname.c | 16
rsbac/help/debug.c | 270 +-----
rsbac/help/helpers.c | 13
rsbac/help/jail_getname.c | 8
rsbac/help/syscalls.c | 686 +++------------
95 files changed, 1538 insertions(+), 5289 deletions(-)
[RSBAC]: Introduce rsbac_pr_debug
As a way to reduce the total rsbac patch size by using a macro
that is similar to the mailine kernel pr_debug macro.
The resulting messages should be the same as previously.
Signed-off-by: Arnaldo Carvalho de Melo <acme at mandriva.com>
More information about the rsbac
mailing list