diff options
| author | rwatson <rwatson@FreeBSD.org> | 2004-05-03 20:53:05 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2004-05-03 20:53:05 +0000 |
| commit | a857ce2f0acec128ed2d0b02632546c552086fab (patch) | |
| tree | 1820a195dcdd8fed2cde624bb60dd58362b713d7 /sys/security | |
| parent | c5cf8dba6f16f4dfbd87ae45597eca45c3a26c3f (diff) | |
| download | FreeBSD-src-a857ce2f0acec128ed2d0b02632546c552086fab.zip FreeBSD-src-a857ce2f0acec128ed2d0b02632546c552086fab.tar.gz | |
Add MAC_STATIC, a kernel option that disables internal MAC Framework
synchronization protecting against dynamic load and unload of MAC
policies, and instead simply blocks load and unload. In a static
configuration, this allows you to avoid the synchronization costs
associated with introducing dynamicism.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.c | 25 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 25 |
2 files changed, 50 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 70cb870..cc55e24 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -166,9 +166,11 @@ MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); * exclusive consumers that they should try to acquire the lock if a * first attempt at exclusive access fails. */ +#ifndef MAC_STATIC static struct mtx mac_policy_mtx; static struct cv mac_policy_cv; static int mac_policy_count; +#endif struct mac_policy_list_head mac_policy_list; struct mac_policy_list_head mac_static_policy_list; @@ -185,44 +187,53 @@ void mac_policy_grab_exclusive(void) { +#ifndef MAC_STATIC WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__); mtx_lock(&mac_policy_mtx); while (mac_policy_count != 0) cv_wait(&mac_policy_cv, &mac_policy_mtx); +#endif } void mac_policy_assert_exclusive(void) { +#ifndef MAC_STATIC mtx_assert(&mac_policy_mtx, MA_OWNED); KASSERT(mac_policy_count == 0, ("mac_policy_assert_exclusive(): not exclusive")); +#endif } void mac_policy_release_exclusive(void) { +#ifndef MAC_STATIC KASSERT(mac_policy_count == 0, ("mac_policy_release_exclusive(): not exclusive")); mtx_unlock(&mac_policy_mtx); cv_signal(&mac_policy_cv); +#endif } void mac_policy_list_busy(void) { +#ifndef MAC_STATIC mtx_lock(&mac_policy_mtx); mac_policy_count++; mtx_unlock(&mac_policy_mtx); +#endif } int mac_policy_list_conditional_busy(void) { +#ifndef MAC_STATIC int ret; mtx_lock(&mac_policy_mtx); @@ -233,18 +244,23 @@ mac_policy_list_conditional_busy(void) ret = 0; mtx_unlock(&mac_policy_mtx); return (ret); +#else + return (1); +#endif } void mac_policy_list_unbusy(void) { +#ifndef MAC_STATIC mtx_lock(&mac_policy_mtx); mac_policy_count--; KASSERT(mac_policy_count >= 0, ("MAC_POLICY_LIST_LOCK")); if (mac_policy_count == 0) cv_signal(&mac_policy_cv); mtx_unlock(&mac_policy_mtx); +#endif } /* @@ -258,8 +274,10 @@ mac_init(void) LIST_INIT(&mac_policy_list); mac_labelzone_init(); +#ifndef MAC_STATIC mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); +#endif } /* @@ -314,6 +332,13 @@ mac_policy_modevent(module_t mod, int type, void *data) error = 0; mpc = (struct mac_policy_conf *) data; +#ifdef MAC_STATIC + if (mac_late) { + printf("mac_policy_modevent: MAC_STATIC and late\n"); + return (EBUSY); + } +#endif + switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 70cb870..cc55e24 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -166,9 +166,11 @@ MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); * exclusive consumers that they should try to acquire the lock if a * first attempt at exclusive access fails. */ +#ifndef MAC_STATIC static struct mtx mac_policy_mtx; static struct cv mac_policy_cv; static int mac_policy_count; +#endif struct mac_policy_list_head mac_policy_list; struct mac_policy_list_head mac_static_policy_list; @@ -185,44 +187,53 @@ void mac_policy_grab_exclusive(void) { +#ifndef MAC_STATIC WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, "mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__); mtx_lock(&mac_policy_mtx); while (mac_policy_count != 0) cv_wait(&mac_policy_cv, &mac_policy_mtx); +#endif } void mac_policy_assert_exclusive(void) { +#ifndef MAC_STATIC mtx_assert(&mac_policy_mtx, MA_OWNED); KASSERT(mac_policy_count == 0, ("mac_policy_assert_exclusive(): not exclusive")); +#endif } void mac_policy_release_exclusive(void) { +#ifndef MAC_STATIC KASSERT(mac_policy_count == 0, ("mac_policy_release_exclusive(): not exclusive")); mtx_unlock(&mac_policy_mtx); cv_signal(&mac_policy_cv); +#endif } void mac_policy_list_busy(void) { +#ifndef MAC_STATIC mtx_lock(&mac_policy_mtx); mac_policy_count++; mtx_unlock(&mac_policy_mtx); +#endif } int mac_policy_list_conditional_busy(void) { +#ifndef MAC_STATIC int ret; mtx_lock(&mac_policy_mtx); @@ -233,18 +244,23 @@ mac_policy_list_conditional_busy(void) ret = 0; mtx_unlock(&mac_policy_mtx); return (ret); +#else + return (1); +#endif } void mac_policy_list_unbusy(void) { +#ifndef MAC_STATIC mtx_lock(&mac_policy_mtx); mac_policy_count--; KASSERT(mac_policy_count >= 0, ("MAC_POLICY_LIST_LOCK")); if (mac_policy_count == 0) cv_signal(&mac_policy_cv); mtx_unlock(&mac_policy_mtx); +#endif } /* @@ -258,8 +274,10 @@ mac_init(void) LIST_INIT(&mac_policy_list); mac_labelzone_init(); +#ifndef MAC_STATIC mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); +#endif } /* @@ -314,6 +332,13 @@ mac_policy_modevent(module_t mod, int type, void *data) error = 0; mpc = (struct mac_policy_conf *) data; +#ifdef MAC_STATIC + if (mac_late) { + printf("mac_policy_modevent: MAC_STATIC and late\n"); + return (EBUSY); + } +#endif + switch (type) { case MOD_LOAD: if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && |
