From owner-dev-commits-src-all@freebsd.org  Tue Jun 29 14:26:43 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 824A064C93A;
 Tue, 29 Jun 2021 14:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GDmxv3By6z3CK2;
 Tue, 29 Jun 2021 14:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 52DC61AC01;
 Tue, 29 Jun 2021 14:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15TEQh3R026882;
 Tue, 29 Jun 2021 14:26:43 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15TEQhof026881;
 Tue, 29 Jun 2021 14:26:43 GMT (envelope-from git)
Date: Tue, 29 Jun 2021 14:26:43 GMT
Message-Id: <202106291426.15TEQhof026881@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Mateusz Guzik <mjg@FreeBSD.org>
Subject: git: f77697dd9f31 - main - mac: cheaper check for ifnet_create_mbuf
 and ifnet_check_transmit
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: mjg
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: f77697dd9f31df85cd86370888606c81833f7c8a
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 14:26:43 -0000

The branch main has been updated by mjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=f77697dd9f31df85cd86370888606c81833f7c8a

commit f77697dd9f31df85cd86370888606c81833f7c8a
Author:     Mateusz Guzik <mjg@FreeBSD.org>
AuthorDate: 2021-06-29 12:56:19 +0000
Commit:     Mateusz Guzik <mjg@FreeBSD.org>
CommitDate: 2021-06-29 13:06:45 +0000

    mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/security/mac/mac_framework.c |  6 ++++++
 sys/security/mac/mac_framework.h | 34 ++++++++++++++++++++++++++++++++--
 sys/security/mac/mac_net.c       | 10 ++--------
 3 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index f0b4f89db7ca..e773a3840464 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -145,6 +145,8 @@ FPFLAG_RARE(vnode_check_access);
 FPFLAG_RARE(vnode_check_readlink);
 FPFLAG_RARE(pipe_check_stat);
 FPFLAG_RARE(pipe_check_poll);
+FPFLAG_RARE(ifnet_create_mbuf);
+FPFLAG_RARE(ifnet_check_transmit);
 
 #undef FPFLAG
 #undef FPFLAG_RARE
@@ -445,6 +447,10 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
 		.flag = &mac_pipe_check_stat_fp_flag },
 	{ .offset = FPO(pipe_check_poll),
 		.flag = &mac_pipe_check_poll_fp_flag },
+	{ .offset = FPO(ifnet_create_mbuf),
+		.flag = &mac_ifnet_create_mbuf_fp_flag },
+	{ .offset = FPO(ifnet_check_transmit),
+		.flag = &mac_ifnet_check_transmit_fp_flag },
 };
 
 static void
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 481f90a04801..7a46fbedb28d 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -143,9 +143,39 @@ void	mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
 void	mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 
-int	mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
+int	mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m);
+#ifdef MAC
+extern bool mac_ifnet_check_transmit_fp_flag;
+#else
+#define mac_ifnet_check_transmit_fp_flag 0
+#endif
+#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag)
+static inline int
+mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
+{
+
+	if (mac_ifnet_check_transmit_enabled())
+		return (mac_ifnet_check_transmit_impl(ifp, m));
+	return (0);
+}
+
 void	mac_ifnet_create(struct ifnet *ifp);
-void	mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
+
+void	mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m);
+#ifdef MAC
+extern bool mac_ifnet_create_mbuf_fp_flag;
+#else
+#define mac_ifnet_create_mbuf_fp_flag 0
+#endif
+#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag)
+static inline void
+mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
+{
+
+	if (mac_ifnet_create_mbuf_enabled())
+		mac_ifnet_create_mbuf_impl(ifp, m);
+}
+
 void	mac_ifnet_destroy(struct ifnet *);
 void	mac_ifnet_init(struct ifnet *);
 int	mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 161040edf84f..372619c7b583 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -337,14 +337,11 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
 }
 
 void
-mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 	int locked;
 
-	if (mac_policy_count == 0)
-		return;
-
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
@@ -380,16 +377,13 @@ MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *",
     "struct mbuf *");
 
 int
-mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 	int error, locked;
 
 	M_ASSERTPKTHDR(m);
 
-	if (mac_policy_count == 0)
-		return (0);
-
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);