Date: Wed, 3 Jun 2009 18:46:28 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/sys/netinet in_pcb.c src/sys/security/mac mac_atalk.c mac_inet.c mac_inet6.c mac_net.c mac_socket.c src/sys/security/mac_biba mac_biba.c src/sys/security/mac_lomac mac_lomac.c src/sys/security/mac_mls mac_mls.c ... Message-ID: <200906031849.n53In8c3004058@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2009-06-03 18:46:28 UTC
FreeBSD src repository
Modified files:
sys/netinet in_pcb.c
sys/security/mac mac_atalk.c mac_inet.c mac_inet6.c
mac_net.c mac_socket.c
sys/security/mac_biba mac_biba.c
sys/security/mac_lomac mac_lomac.c
sys/security/mac_mls mac_mls.c
sys/security/mac_stub mac_stub.c
sys/security/mac_test mac_test.c
Log:
SVN rev 193391 on 2009-06-03 18:46:28Z by rwatson
Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy modules, and
avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC
Framework entry points. We will still pay label lookup costs if MAC
policies are present but don't require labels (typically a single mbuf
header field read, but perhaps further indirection if IPSEC or other
m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and
events into MAC policies from the MAC Framework, so that sockets are
only locked if a policy specifically requires a lock to protect a label.
This resolves lock order issues during sonewconn() and also in local
domain socket cross-connect where multiple socket locks could not be
held at once for the purposes of propagatig MAC labels across multiple
sockets. Eliminate mac_policy_count check in some entry points where it
no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network
interfaces that otherwise lock a global MAC ifnet lock used to protect
ifnet labels.
Obtained from: TrustedBSD Project
Revision Changes Path
1.251 +0 -2 src/sys/netinet/in_pcb.c
1.4 +3 -0 src/sys/security/mac/mac_atalk.c
1.26 +46 -0 src/sys/security/mac/mac_inet.c
1.6 +15 -0 src/sys/security/mac/mac_inet6.c
1.136 +15 -0 src/sys/security/mac/mac_net.c
1.18 +13 -63 src/sys/security/mac/mac_socket.c
1.132 +38 -9 src/sys/security/mac_biba/mac_biba.c
1.76 +37 -9 src/sys/security/mac_lomac/mac_lomac.c
1.113 +38 -9 src/sys/security/mac_mls/mac_mls.c
1.95 +79 -0 src/sys/security/mac_stub/mac_stub.c
1.108 +44 -4 src/sys/security/mac_test/mac_test.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906031849.n53In8c3004058>