Slightly change the semantics of vnode labels for MAC: rather than

"refreshing" the label on the vnode before use, just get the label
right from inception.  For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system.  With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance.  This
also corrects sematics for shared vnode locks, which were not
previously present in the system.  This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form.  With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception.  We'll introduce a work around for this shortly.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

2 files changed, 0 insertions, 57 deletions

diff --git a/sys/fs/pseudofs/pseudofs.h b/sys/fs/pseudofs/pseudofs.h
index c7a64dd..2b9d01b 100644
--- a/sys/fs/pseudofs/pseudofs.h
+++ b/sys/fs/pseudofs/pseudofs.h
@@ -145,15 +145,6 @@ struct ucred;
 typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);
 
 /*
- * Getlabel callback
- */
-#define	PFS_REFRESHLABEL_ARGS \
-	struct thread *td, struct proc *p, struct vnode *vp, \
-	struct pfs_node *pn, struct ucred *cred
-struct mac;
-typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
-
-/*
  * Last-close callback
  */
 #define PFS_CLOSE_ARGS \
@@ -194,7 +185,6 @@ struct pfs_node {
 	pfs_attr_t		 pn_attr;
 	pfs_vis_t		 pn_vis;
 	pfs_getextattr_t	 pn_getextattr;
-	pfs_refreshlabel_t	 pn_refreshlabel;
 	void			*pn_data;
 	int			 pn_flags;
 
diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index 932adc0..b797aeb 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -28,8 +28,6 @@
  *	$FreeBSD$
  */
 
-#include "opt_mac.h"
-
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/systm.h>
@@ -37,7 +35,6 @@
 #include <sys/dirent.h>
 #include <sys/fcntl.h>
 #include <sys/lock.h>
-#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/namei.h>
@@ -732,50 +729,6 @@ pfs_reclaim(struct vop_reclaim_args *va)
 	return (pfs_vncache_free(va->a_vp));
 }
 
-#ifdef MAC
-/*
- * Refresh the vnode label as appropriate for the pseudo-file system.
- */
-static int
-pfs_refreshlabel(struct vop_refreshlabel_args *va)
-{
-	struct vnode *vn = va->a_vp;
-	struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
-	struct pfs_node *pn = pvd->pvd_pn;
-	struct proc *proc = NULL;
-	int error;
-
-	PFS_TRACE((pd->pn_name));
-
-	if (pn->pn_refreshlabel == NULL) {
-		mac_update_vnode_from_mount(vn, vn->v_mount);
-		return (0);
-	}
-
-	/*
-	 * This is necessary because either process' privileges may
-	 * have changed since the last open() call.
-	 */
-	if (!pfs_visible(curthread, pn, pvd->pvd_pid))
-		PFS_RETURN (EIO);
-
-	/* XXX duplicate bits of pfs_visible() */
-	if (pvd->pvd_pid != NO_PID) {
-		if ((proc = pfind(pvd->pvd_pid)) == NULL)
-			PFS_RETURN (EIO);
-		_PHOLD(proc);
-		PROC_UNLOCK(proc);
-	}
-
-	error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
-
-	if (proc != NULL)
-		PRELE(proc);
-
-	PFS_RETURN (error);
-}
-#endif
-
 /*
  * Set attributes
  */