Date: Thu, 13 Feb 2020 22:22:55 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r357889 - in head/sys: kern security/mac Message-ID: <202002132222.01DMMtuF065718@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Thu Feb 13 22:22:55 2020 New Revision: 357889 URL: https://svnweb.freebsd.org/changeset/base/357889 Log: vfs: use mac fastpath for lookup, open, read, write, mmap Modified: head/sys/kern/vfs_lookup.c head/sys/security/mac/mac_framework.c head/sys/security/mac/mac_framework.h head/sys/security/mac/mac_vfs.c Modified: head/sys/kern/vfs_lookup.c ============================================================================== --- head/sys/kern/vfs_lookup.c Thu Feb 13 22:22:15 2020 (r357888) +++ head/sys/kern/vfs_lookup.c Thu Feb 13 22:22:55 2020 (r357889) @@ -932,12 +932,9 @@ dirloop: */ unionlookup: #ifdef MAC - if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, - cnp); - if (error) - goto bad; - } + error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, cnp); + if (error) + goto bad; #endif ndp->ni_dvp = dp; ndp->ni_vp = NULL; Modified: head/sys/security/mac/mac_framework.c ============================================================================== --- head/sys/security/mac/mac_framework.c Thu Feb 13 22:22:15 2020 (r357888) +++ head/sys/security/mac/mac_framework.c Thu Feb 13 22:22:55 2020 (r357889) @@ -125,6 +125,12 @@ bool __read_frequently mac_##f##_fp_flag FPFLAG(priv_check); FPFLAG(priv_grant); +FPFLAG(vnode_check_lookup); +FPFLAG(vnode_check_open); +FPFLAG(vnode_check_stat); +FPFLAG(vnode_check_read); +FPFLAG(vnode_check_write); +FPFLAG(vnode_check_mmap); #undef FPFLAG @@ -403,6 +409,18 @@ struct mac_policy_fastpath_elem { struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { { .offset = FPO(priv_check), .flag = &mac_priv_check_fp_flag }, { .offset = FPO(priv_grant), .flag = &mac_priv_grant_fp_flag }, + { .offset = FPO(vnode_check_lookup), + .flag = &mac_vnode_check_lookup_fp_flag }, + { .offset = FPO(vnode_check_open), + .flag = &mac_vnode_check_open_fp_flag }, + { .offset = FPO(vnode_check_stat), + .flag = &mac_vnode_check_stat_fp_flag }, + { .offset = FPO(vnode_check_read), + .flag = &mac_vnode_check_read_fp_flag }, + { .offset = FPO(vnode_check_write), + .flag = &mac_vnode_check_write_fp_flag }, + { .offset = FPO(vnode_check_mmap), + .flag = &mac_vnode_check_mmap_fp_flag }, }; static void Modified: head/sys/security/mac/mac_framework.h ============================================================================== --- head/sys/security/mac/mac_framework.h Thu Feb 13 22:22:15 2020 (r357888) +++ head/sys/security/mac/mac_framework.h Thu Feb 13 22:22:55 2020 (r357889) @@ -390,6 +390,12 @@ void mac_sysvshm_init(struct shmid_kernel *); void mac_thread_userret(struct thread *td); +#ifdef DEBUG_VFS_LOCKS +void mac_vnode_assert_locked(struct vnode *vp, const char *func); +#else +#define mac_vnode_assert_locked(vp, func) do { } while (0) +#endif + int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, @@ -412,18 +418,53 @@ int mac_vnode_check_link(struct ucred *cred, struct vn struct vnode *vp, struct componentname *cnp); int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); -int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, + +int mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, +extern bool mac_vnode_check_lookup_fp_flag; +static inline int +mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, + struct componentname *cnp) +{ + + mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup"); + if (__predict_false(mac_vnode_check_lookup_fp_flag)) + return (mac_vnode_check_lookup_impl(cred, dvp, cnp)); + return (0); +} + +int mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, int flags); +extern bool mac_vnode_check_mmap_fp_flag; +static inline int +mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, + int flags) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_mmap"); + if (__predict_false(mac_vnode_check_mmap_fp_flag)) + return (mac_vnode_check_mmap_impl(cred, vp, prot, flags)); + return (0); +} + +int mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, + accmode_t accmode); +extern bool mac_vnode_check_open_fp_flag; +static inline int +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, + accmode_t accmode) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_open"); + if (__predict_false(mac_vnode_check_open_fp_flag)) + return (mac_vnode_check_open_impl(cred, vp, accmode)); + return (0); +} + int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); -int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, - accmode_t accmode); int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_vnode_check_read(struct ucred *active_cred, - struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, @@ -443,12 +484,51 @@ int mac_vnode_check_setowner(struct ucred *cred, struc uid_t uid, gid_t gid); int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_vnode_check_stat(struct ucred *active_cred, + +int mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_stat_fp_flag; +static inline int +mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_stat"); + if (__predict_false(mac_vnode_check_stat_fp_flag)) + return (mac_vnode_check_stat_impl(active_cred, file_cred, vp)); + return (0); +} + +int mac_vnode_check_read_impl(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_read_fp_flag; +static inline int +mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_read"); + if (__predict_false(mac_vnode_check_read_fp_flag)) + return (mac_vnode_check_read_impl(active_cred, file_cred, vp)); + return (0); +} + +int mac_vnode_check_write_impl(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +extern bool mac_vnode_check_write_fp_flag; +static inline int +mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) +{ + + mac_vnode_assert_locked(vp, "mac_vnode_check_write"); + if (__predict_false(mac_vnode_check_write_fp_flag)) + return (mac_vnode_check_write_impl(active_cred, file_cred, vp)); + return (0); +} + int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_vnode_check_write(struct ucred *active_cred, - struct ucred *file_cred, struct vnode *vp); void mac_vnode_copy_label(struct label *, struct label *); void mac_vnode_init(struct vnode *); int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, Modified: head/sys/security/mac/mac_vfs.c ============================================================================== --- head/sys/security/mac/mac_vfs.c Thu Feb 13 22:22:15 2020 (r357888) +++ head/sys/security/mac/mac_vfs.c Thu Feb 13 22:22:55 2020 (r357889) @@ -565,13 +565,15 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct uc "struct vnode *", "struct componentname *"); int -mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); + if ((cnp->cn_flags & NOMACCHECK) != 0) + return (0); MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp); @@ -582,7 +584,7 @@ MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucre "int", "int"); int -mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, +mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, int flags) { int error; @@ -629,7 +631,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucre "accmode_t"); int -mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) +mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; @@ -664,7 +666,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucre "struct vnode *"); int -mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_read_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; @@ -889,7 +891,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucre "struct vnode *"); int -mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; @@ -927,7 +929,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucr "struct ucred *", "struct vnode *"); int -mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_write_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; @@ -1068,3 +1070,12 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, return (0); } + +#ifdef DEBUG_VFS_LOCKS +void +mac_vnode_assert_locked(struct vnode *vp, const char *func) +{ + + ASSERT_VOP_LOCKED(vp, func); +} +#endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002132222.01DMMtuF065718>