svn commit: r193332 - in head/sys: kern netatalk netinet rpc security/mac

Pawel Jakub Dawidek pjd at
Wed Jun 3 08:36:27 UTC 2009

On Tue, Jun 02, 2009 at 06:26:17PM +0000, Robert Watson wrote:
> Author: rwatson
> Date: Tue Jun  2 18:26:17 2009
> New Revision: 193332
> URL:
> Log:
>   Add internal 'mac_policy_count' counter to the MAC Framework, which is a
>   count of the number of registered policies.
>   Rather than unconditionally locking sockets before passing them into MAC,
>   lock them in the MAC entry points only if mac_policy_count is non-zero.
>   This avoids locking overhead for a number of socket system calls when no
>   policies are registered, eliminating measurable overhead for the MAC
>   Framework for the socket subsystem when there are no active policies.
>   Possibly socket locks should be acquired by policies if they are required
>   for socket labels, which would further avoid locking overhead when there
>   are policies but they don't require labeling of sockets, or possibly
>   don't even implement socket controls.

This may introduce further overhead if there are few policies that
implement socket controls. Then you will have cost of npolicies * lock/unlock.
Maybe we could check if there is at least one policy implementing
particular socket control and if yes lock the socket in the framework
only once? This won't be ideal (there might be socket control that
doesn't need to lock the socket), but is good enough for my taste:)

Pawel Jakub Dawidek             
pjd at                 
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the svn-src-all mailing list