diff options
author | rwatson <rwatson@FreeBSD.org> | 2009-06-03 18:46:28 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2009-06-03 18:46:28 +0000 |
commit | 849a8ce20b26266bfcee925d683db20bee2a0ccd (patch) | |
tree | c959f41a3828e52e4d9970ee9fff5c64a88ca36e /sys/security/mac_stub | |
parent | 673e1d1fc9eb778be5e4ca28de814387aca23ab8 (diff) | |
download | FreeBSD-src-849a8ce20b26266bfcee925d683db20bee2a0ccd.zip FreeBSD-src-849a8ce20b26266bfcee925d683db20bee2a0ccd.tar.gz |
Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy modules, and
avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC
Framework entry points. We will still pay label lookup costs if MAC
policies are present but don't require labels (typically a single mbuf
header field read, but perhaps further indirection if IPSEC or other
m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and
events into MAC policies from the MAC Framework, so that sockets are
only locked if a policy specifically requires a lock to protect a label.
This resolves lock order issues during sonewconn() and also in local
domain socket cross-connect where multiple socket locks could not be
held at once for the purposes of propagatig MAC labels across multiple
sockets. Eliminate mac_policy_count check in some entry points where it
no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network
interfaces that otherwise lock a global MAC ifnet lock used to protect
ifnet labels.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_stub')
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index cecf2ea..007efb8 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -413,6 +413,8 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { + SOCK_LOCK_ASSERT(so); + } static void @@ -809,6 +811,11 @@ stub_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -817,6 +824,11 @@ stub_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -825,6 +837,11 @@ stub_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -840,6 +857,11 @@ stub_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -848,6 +870,11 @@ stub_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -856,6 +883,11 @@ stub_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -864,6 +896,11 @@ stub_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -872,6 +909,8 @@ stub_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { + SOCK_LOCK_ASSERT(so); + return (0); } static int @@ -879,6 +918,11 @@ stub_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -887,6 +931,11 @@ stub_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -903,6 +952,11 @@ stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif + return (0); } @@ -918,6 +972,10 @@ stub_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif } static void @@ -925,6 +983,14 @@ stub_socket_newconn(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel) { +#if 0 + SOCK_LOCK(oldso); + SOCK_UNLOCK(oldso); +#endif +#if 0 + SOCK_LOCK(newso); + SOCK_UNLOCK(newso); +#endif } static void @@ -932,6 +998,7 @@ stub_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { + SOCK_LOCK_ASSERT(so); } static void @@ -939,6 +1006,10 @@ stub_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { +#if 0 + SOCK_LOCK(so); + SOCK_UNLOCK(so); +#endif } static void @@ -947,6 +1018,14 @@ stub_socketpeer_set_from_socket(struct socket *oldso, struct label *newsopeerlabel) { +#if 0 + SOCK_LOCK(oldso); + SOCK_UNLOCK(oldso); +#endif +#if 0 + SOCK_LOCK(newso); + SOCK_UNLOCK(newso); +#endif } static void |