svn commit: r347938 - head/sys/security/mac_veriexec

[Stephen J. Kiernan]

Author: stevek
Date: Fri May 17 18:13:43 2019
New Revision: 347938
URL: https://svnweb.freebsd.org/changeset/base/347938

Log:
  Obtain a shared lock instead of exclusive in the MAC/veriexec
  MAC_VERIEXEC_CHECK_PATH_SYSCALL per-MAC policy system call.
  
  When we are checking the status of the fingerprint on a vnode using the
  per-MAC-policy syscall, we do not need an exclusive lock on the vnode.
  
  Even if there is more than one thread requesting the status at the same time,
  the worst we can end up doing is processing the file more than once.
  
  This can potentially be improved in the future with offloading the fingerprint
  evaluation to a separate thread and blocking until the update completes. But
  for now the race is acceptable.
  
  Obtained from:	Juniper Networks, Inc.
  MFC after:	1 week

Modified:
  head/sys/security/mac_veriexec/mac_veriexec.c

Modified: head/sys/security/mac_veriexec/mac_veriexec.c
==============================================================================
--- head/sys/security/mac_veriexec/mac_veriexec.c	Fri May 17 18:10:11 2019	(r347937)
+++ head/sys/security/mac_veriexec/mac_veriexec.c	Fri May 17 18:13:43 2019	(r347938)
@@ -697,7 +697,8 @@ cleanup_file:
 		break;
 	case MAC_VERIEXEC_CHECK_PATH_SYSCALL:
 		/* Look up the path to get the vnode */
-		NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
+		NDINIT(&nd, LOOKUP,
+		    FOLLOW | LOCKLEAF | LOCKSHARED | AUDITVNODE1,
 		    UIO_USERSPACE, arg, td);
 		error = namei(&nd);
 		if (error != 0)