diff options
| author | rwatson <rwatson@FreeBSD.org> | 2009-06-03 18:46:28 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2009-06-03 18:46:28 +0000 |
| commit | 849a8ce20b26266bfcee925d683db20bee2a0ccd (patch) | |
| tree | c959f41a3828e52e4d9970ee9fff5c64a88ca36e /sys/security/mac_biba | |
| parent | 673e1d1fc9eb778be5e4ca28de814387aca23ab8 (diff) | |
| download | FreeBSD-src-849a8ce20b26266bfcee925d683db20bee2a0ccd.zip FreeBSD-src-849a8ce20b26266bfcee925d683db20bee2a0ccd.tar.gz | |
Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy modules, and
avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC
Framework entry points. We will still pay label lookup costs if MAC
policies are present but don't require labels (typically a single mbuf
header field read, but perhaps further indirection if IPSEC or other
m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and
events into MAC policies from the MAC Framework, so that sockets are
only locked if a policy specifically requires a lock to protect a label.
This resolves lock order issues during sonewconn() and also in local
domain socket cross-connect where multiple socket locks could not be
held at once for the purposes of propagatig MAC labels across multiple
sockets. Eliminate mac_policy_count check in some entry points where it
no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network
interfaces that otherwise lock a global MAC ifnet lock used to protect
ifnet labels.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_biba')
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 47 |
1 files changed, 38 insertions, 9 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 212c499..2c6ada1 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -1177,7 +1177,9 @@ biba_inpcb_create(struct socket *so, struct label *solabel, source = SLOT(solabel); dest = SLOT(inplabel); + SOCK_LOCK(so); biba_copy_effective(source, dest); + SOCK_UNLOCK(so); } static void @@ -1198,6 +1200,8 @@ biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, { struct mac_biba *source, *dest; + SOCK_LOCK_ASSERT(so); + source = SLOT(solabel); dest = SLOT(inplabel); @@ -1918,6 +1922,7 @@ biba_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *s; + int error; if (!biba_enabled) return (0); @@ -1925,7 +1930,10 @@ biba_socket_check_deliver(struct socket *so, struct label *solabel, p = SLOT(mlabel); s = SLOT(solabel); - return (biba_equal_effective(p, s) ? 0 : EACCES); + SOCK_LOCK(so); + error = biba_equal_effective(p, s) ? 0 : EACCES; + SOCK_UNLOCK(so); + return (error); } static int @@ -1935,6 +1943,8 @@ biba_socket_check_relabel(struct ucred *cred, struct socket *so, struct mac_biba *subj, *obj, *new; int error; + SOCK_LOCK_ASSERT(so); + new = SLOT(newlabel); subj = SLOT(cred->cr_label); obj = SLOT(solabel); @@ -1991,8 +2001,12 @@ biba_socket_check_visible(struct ucred *cred, struct socket *so, subj = SLOT(cred->cr_label); obj = SLOT(solabel); - if (!biba_dominate_effective(obj, subj)) + SOCK_LOCK(so); + if (!biba_dominate_effective(obj, subj)) { + SOCK_UNLOCK(so); return (ENOENT); + } + SOCK_UNLOCK(so); return (0); } @@ -2018,19 +2032,26 @@ biba_socket_create_mbuf(struct socket *so, struct label *solabel, source = SLOT(solabel); dest = SLOT(mlabel); + SOCK_LOCK(so); biba_copy_effective(source, dest); + SOCK_UNLOCK(so); } static void biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel) { - struct mac_biba *source, *dest; + struct mac_biba source, *dest; + + SOCK_LOCK(oldso); + source = *SLOT(oldsolabel); + SOCK_UNLOCK(oldso); - source = SLOT(oldsolabel); dest = SLOT(newsolabel); - biba_copy_effective(source, dest); + SOCK_LOCK(newso); + biba_copy_effective(&source, dest); + SOCK_UNLOCK(newso); } static void @@ -2039,6 +2060,8 @@ biba_socket_relabel(struct ucred *cred, struct socket *so, { struct mac_biba *source, *dest; + SOCK_LOCK_ASSERT(so); + source = SLOT(newlabel); dest = SLOT(solabel); @@ -2054,7 +2077,9 @@ biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, source = SLOT(mlabel); dest = SLOT(sopeerlabel); + SOCK_LOCK(so); biba_copy_effective(source, dest); + SOCK_UNLOCK(so); } static void @@ -2062,12 +2087,16 @@ biba_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { - struct mac_biba *source, *dest; + struct mac_biba source, *dest; - source = SLOT(oldsolabel); + SOCK_LOCK(oldso); + source = *SLOT(oldsolabel); + SOCK_UNLOCK(oldso); dest = SLOT(newsopeerlabel); - biba_copy_effective(source, dest); + SOCK_LOCK(newso); + biba_copy_effective(&source, dest); + SOCK_UNLOCK(newso); } static void |
