|
|
http://perforce.freebsd.org/chv.cgi?CH=111046
Change 111046 by millert@millert_g5tower on 2006/12/04 18:34:01
Remove rate limiting, it was removed in selinux long ago.
Affected files ...
..
//depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#12
edit
Differences ...
====
//depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#12
(text+ko) ====
@@ -148,14 +148,9 @@
#define NOTIF_LOCK lck_mtx_lock(notif_lock)
#define NOTIF_UNLOCK lck_mtx_unlock(notif_lock)
-static lck_mtx_t *ratelimit_lock;
-#define RATELIM_LOCK lck_mtx_lock(ratelimit_lock)
-#define RATELIM_UNLOCK lck_mtx_unlock(ratelimit_lock)
-
static struct avc_cache avc_cache;
static struct avc_callback_node *avc_callbacks;
static zone_t avc_node_cachep;
-static uint64_t avc_msg_cost, avc_msg_burst;
static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
{
@@ -277,7 +272,6 @@
/* allocate avc mutexes */
avc_log_lock = lck_mtx_alloc_init(avc_lck_grp, avc_lck_attr);
notif_lock = lck_mtx_alloc_init(avc_lck_grp, avc_lck_attr);
- ratelimit_lock = lck_mtx_alloc_init(avc_lck_grp, avc_lck_attr);
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
LIST_INIT(&avc_cache.slots[i]);
@@ -291,10 +285,6 @@
lck_attr_free(avc_lck_attr);
lck_grp_attr_free(avc_lck_grp_attr);
- /* For avc_ratelimit() */
- nanoseconds_to_absolutetime(5000000000ULL, &avc_msg_cost);
- avc_msg_burst = 10 * avc_msg_cost;
-
avc_node_cachep = mac_zinit(sizeof(struct avc_node),
AVC_CACHE_MAXNODES * sizeof(struct avc_node),
AVC_CACHE_RECLAIM * sizeof(struct avc_node), "avc node");
@@ -575,63 +565,6 @@
}
#endif /* __linux__ */
-
-#define AVC_MSG_COST avc_msg_cost
-#define AVC_MSG_BURST avc_msg_burst
-
-/*
- * This enforces a rate limit: not more than one kernel message
- * every 5secs to make a denial-of-service attack impossible.
- */
-static int avc_ratelimit(void)
-{
- static uint64_t toks;
- static uint64_t last_msg;
- static int missed, rc;
- uint64_t now;
-
- now = mach_absolute_time();
-
- RATELIM_LOCK;
- toks += now - last_msg;
- last_msg = now;
- if (toks > AVC_MSG_BURST)
- toks = AVC_MSG_BURST;
- if (toks >= AVC_MSG_COST) {
- int lost = missed;
- missed = 0;
- toks -= AVC_MSG_COST;
- RATELIM_UNLOCK;
- if (lost)
- printk(KERN_WARNING "AVC: %d messages suppressed.\n",
- lost);
- rc = 1;
- goto out;
- }
- missed++;
- RATELIM_UNLOCK;
-out:
- return rc;
-}
-
-static inline int check_avc_ratelimit(void)
-{
-
- /*
- * If auditing is not enabled, suppress all messages.
- */
- if (!selinux_auditing)
- return 0;
-
- /*
- * If in permissive mode, display all messages.
- */
- if (!selinux_enforcing)
- return 1;
-
- return avc_ratelimit();
-}
-
/**
* avc_audit - Audit the granting or denial of permissions.
* @ssid: source security identifier
@@ -672,9 +605,6 @@
return;
}
- if (!check_avc_ratelimit())
- return;
-
ab = audit_log_start();
if (!ab)
return; /* audit_panic has been called */
_______________________________________________
p4-projects@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/p4-projects
To unsubscribe, send any mail to "p4-projects-unsubscribe@xxxxxxxxxxx"
|
|