Re: [RFC][PATCH 6/6] SLIM: debug output
From: Mimi Zohar
Date: Tue Jul 25 2006 - 10:14:12 EST
Kylie,
This patch doesn't apply properly. It seems that most of the debugging was
added in the base slim. The parts
that weren't added are listed below.
Mimi
Index: linux-2.6.17.7/security/slim/slm_main.c
===================================================================
--- linux-2.6.17.7.orig/security/slim/slm_main.c
+++ linux-2.6.17.7/security/slim/slm_main.c
@@ -1563,6 +1563,7 @@ static void enforce_guard_integrity_exec
{
struct slm_tsec_data *cur_tsec = current->security;
struct task_struct *parent_tsk = current->parent;
+ struct slm_tsec_data *parent_tsec = parent_tsk->security;
if ((strcmp(bprm->filename, bprm->interp) != 0)
&& (level->guard.unlimited)) {
@@ -1588,6 +1589,35 @@ static void enforce_guard_integrity_exec
cur_tsec->iac_wx = level->guard.iac_wx;
spin_unlock(&cur_tsec->lock);
} else {
+ if (!parent_tsec) {
+ dprintk(SLM_SECRECY,
+ "%s: pid %d(%s %d-%s) %s "
+ " executing, promoting secrecy to sac=%d-%s\n",
+ __FUNCTION__, current->pid,
+ current->comm, cur_tsec->sac_rx,
+ (cur_tsec->sac_w != cur_tsec->sac_rx)
+ ? "GUARD" : slm_sac_str[cur_tsec->
+ sac_rx],
+ bprm->filename, level->sac_level,
+ slm_sac_str[level->sac_level]);
+ } else
+ dprintk(SLM_SECRECY,
+ "%s: ppid %d(%s %d-%s) pid %d(%s %d-%s) %s"
+ "executing, promoting secrecy to sac=%d-%s\n",
+ __FUNCTION__, parent_tsk->pid,
+ parent_tsk->comm,
+ parent_tsec->sac_rx,
+ (parent_tsec->sac_w != parent_tsec->sac_rx)
+ ? "GUARD" :
+ slm_sac_str[parent_tsec->sac_rx],
+ current->pid, current->comm,
+ cur_tsec->sac_rx,
+ (cur_tsec->sac_w != cur_tsec->sac_rx)
+ ? "GUARD" : slm_sac_str[cur_tsec->
+ sac_rx],
+ bprm->filename, level->sac_level,
+ slm_sac_str[level->sac_level]);
+
spin_lock(&cur_tsec->lock);
if (cur_tsec->iac_r > level->guard.iac_r)
cur_tsec->iac_r = level->guard.iac_r;
Index: linux-2.6.17.7/security/slim/slim.h
===================================================================
--- linux-2.6.17.7.orig/security/slim/slim.h
+++ linux-2.6.17.7/security/slim/slim.h
@@ -100,3 +100,19 @@ extern int slm_init_config(void);
extern __init int slm_init_secfs(void);
extern __exit void slm_cleanup_secfs(void);
+
+extern __init int slm_init_debugfs(void);
+extern __exit void slm_cleanup_debugfs(void);
+
+extern unsigned int slm_debug;
+enum slm_debug_level {
+ SLM_BASE = 1,
+ SLM_INTEGRITY = 2,
+ SLM_SECRECY = 4,
+ SLM_VERBOSE = 8,
+};
+
+#undef dprintk
+#define dprintk(level, format, a...) \
+ if (slm_debug & level) \
+ printk(KERN_INFO format, ##a)
Index: linux-2.6.17.7/security/slim/slm_secfs.c
===================================================================
--- linux-2.6.17.7.orig/security/slim/slm_secfs.c
+++ linux-2.6.17.7/security/slim/slm_secfs.c
@@ -19,6 +19,8 @@
#include "slim.h"
static struct dentry *slim_sec_dir, *slim_level;
+static struct dentry *slim_debug_dir, *slim_integrity, *slim_secrecy,
+ *slim_verbose;
static ssize_t slm_read_level(struct file *file, char __user *buf,
size_t buflen, loff_t *ppos)
@@ -42,10 +44,85 @@ static ssize_t slm_read_level(struct fil
return simple_read_from_buffer(buf, buflen, ppos, data, len);
}
+static int slm_open_debug(struct inode *inode, struct file *file)
+{
+ if (inode->u.generic_ip)
+ file->private_data = inode->u.generic_ip;
+ return 0;
+}
+
+static ssize_t slm_read_debug(struct file *file, char __user * buf,
+ size_t buflen, loff_t * ppos)
+{
+ ssize_t len = 0;
+ enum slm_debug_level type = (enum slm_debug_level)file->private_data;
+ char *page = (char *)__get_free_page(GFP_KERNEL);
+
+ if (!page)
+ return -ENOMEM;
+
+ switch(type) {
+ case SLM_INTEGRITY:
+ len = sprintf(page, "slm_debug: integrity %s\n",
+ ((slm_debug & SLM_INTEGRITY) == SLM_INTEGRITY)
+ ? "ON" : "OFF");
+ break;
+ case SLM_SECRECY:
+ len = sprintf(page, "slm_debug: secrecy %s\n",
+ ((slm_debug & SLM_SECRECY) == SLM_SECRECY)
+ ? "ON" : "OFF");
+ break;
+ case SLM_VERBOSE:
+ len = sprintf(page, "evm_debug: verbose %s\n",
+ ((slm_debug & SLM_VERBOSE) == SLM_VERBOSE)
+ ? "ON" : "OFF");
+ break;
+ default:
+ break;
+ }
+ len = simple_read_from_buffer(buf, buflen, ppos, page, len);
+ free_page((unsigned long)page);
+ return len;
+}
+
+static ssize_t slm_write_debug(struct file *file, const char __user * buf,
+ size_t buflen, loff_t * ppos)
+{
+ char flag;
+ enum slm_debug_level type = (enum slm_debug_level)file->private_data;
+
+ if (copy_from_user(&flag, buf, 1))
+ return -EFAULT;
+
+ switch(type) {
+ case SLM_INTEGRITY:
+ slm_debug = (flag == '0') ? slm_debug & ~SLM_INTEGRITY :
+ slm_debug | SLM_INTEGRITY;
+ break;
+ case SLM_SECRECY:
+ slm_debug = (flag == '0') ? slm_debug & ~SLM_SECRECY :
+ slm_debug | SLM_SECRECY;
+ break;
+ case SLM_VERBOSE:
+ slm_debug = (flag == '0') ? slm_debug & ~SLM_VERBOSE :
+ slm_debug | SLM_VERBOSE;
+ break;
+ default:
+ break;
+ }
+ return buflen;
+}
+
static struct file_operations slm_level_ops = {
.read = slm_read_level,
};
+static struct file_operations slm_debug_ops = {
+ .read = slm_read_debug,
+ .write = slm_write_debug,
+ .open = slm_open_debug,
+};
+
int __init slm_init_secfs(void)
{
slim_sec_dir = securityfs_create_dir("slim", NULL);
@@ -60,8 +137,48 @@ int __init slm_init_secfs(void)
return 0;
}
+int __init slm_init_debugfs(void)
+{
+ slim_debug_dir = debugfs_create_dir("slim", NULL);
+ if (!slim_debug_dir || IS_ERR(slim_debug_dir))
+ return -EFAULT;
+
+ slim_integrity = debugfs_create_file("integrity", S_IRUSR | S_IRGRP,
+ slim_debug_dir, (void *)SLM_INTEGRITY,
+ &slm_debug_ops);
+ if (!slim_integrity || IS_ERR(slim_integrity))
+ goto out_del_debugdir;
+ slim_secrecy = debugfs_create_file("secrecy", S_IRUSR | S_IRGRP,
+ slim_debug_dir, (void *)SLM_SECRECY,
+ &slm_debug_ops);
+ if (!slim_secrecy || IS_ERR(slim_secrecy))
+ goto out_del_integrity;
+ slim_verbose = debugfs_create_file("verbose", S_IRUSR | S_IRGRP,
+ slim_debug_dir, (void *)SLM_VERBOSE,
+ &slm_debug_ops);
+ if (!slim_verbose || IS_ERR(slim_verbose))
+ goto out_del_secrecy;
+ return 0;
+
+out_del_secrecy:
+ debugfs_remove(slim_secrecy);
+out_del_integrity:
+ debugfs_remove(slim_integrity);
+out_del_debugdir:
+ debugfs_remove(slim_debug_dir);
+ return -EFAULT;
+}
+
void __exit slm_cleanup_secfs(void)
{
securityfs_remove(slim_level);
securityfs_remove(slim_sec_dir);
}
+
+void __exit slm_cleanup_debugfs(void)
+{
+ debugfs_remove(slim_verbose);
+ debugfs_remove(slim_secrecy);
+ debugfs_remove(slim_integrity);
+ debugfs_remove(slim_debug_dir);
+}
Mimi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/