Date: Tue, 29 Jun 2021 14:26:43 GMT From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: f77697dd9f31 - main - mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit Message-ID: <202106291426.15TEQhof026881@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=f77697dd9f31df85cd86370888606c81833f7c8a commit f77697dd9f31df85cd86370888606c81833f7c8a Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2021-06-29 12:56:19 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2021-06-29 13:06:45 +0000 mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/security/mac/mac_framework.c | 6 ++++++ sys/security/mac/mac_framework.h | 34 ++++++++++++++++++++++++++++++++-- sys/security/mac/mac_net.c | 10 ++-------- 3 files changed, 40 insertions(+), 10 deletions(-) diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f0b4f89db7ca..e773a3840464 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -145,6 +145,8 @@ FPFLAG_RARE(vnode_check_access); FPFLAG_RARE(vnode_check_readlink); FPFLAG_RARE(pipe_check_stat); FPFLAG_RARE(pipe_check_poll); +FPFLAG_RARE(ifnet_create_mbuf); +FPFLAG_RARE(ifnet_check_transmit); #undef FPFLAG #undef FPFLAG_RARE @@ -445,6 +447,10 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { .flag = &mac_pipe_check_stat_fp_flag }, { .offset = FPO(pipe_check_poll), .flag = &mac_pipe_check_poll_fp_flag }, + { .offset = FPO(ifnet_create_mbuf), + .flag = &mac_ifnet_create_mbuf_fp_flag }, + { .offset = FPO(ifnet_check_transmit), + .flag = &mac_ifnet_check_transmit_fp_flag }, }; static void diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 481f90a04801..7a46fbedb28d 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -143,9 +143,39 @@ void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); +int mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m); +#ifdef MAC +extern bool mac_ifnet_check_transmit_fp_flag; +#else +#define mac_ifnet_check_transmit_fp_flag 0 +#endif +#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag) +static inline int +mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) +{ + + if (mac_ifnet_check_transmit_enabled()) + return (mac_ifnet_check_transmit_impl(ifp, m)); + return (0); +} + void mac_ifnet_create(struct ifnet *ifp); -void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); + +void mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m); +#ifdef MAC +extern bool mac_ifnet_create_mbuf_fp_flag; +#else +#define mac_ifnet_create_mbuf_fp_flag 0 +#endif +#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag) +static inline void +mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) +{ + + if (mac_ifnet_create_mbuf_enabled()) + mac_ifnet_create_mbuf_impl(ifp, m); +} + void mac_ifnet_destroy(struct ifnet *); void mac_ifnet_init(struct ifnet *); int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 161040edf84f..372619c7b583 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -337,14 +337,11 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) } void -mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m) { struct label *label; int locked; - if (mac_policy_count == 0) - return; - label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked); @@ -380,16 +377,13 @@ MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", "struct mbuf *"); int -mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m) { struct label *label; int error, locked; M_ASSERTPKTHDR(m); - if (mac_policy_count == 0) - return (0); - label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp, locked);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106291426.15TEQhof026881>