svn commit: r357889 - in head/sys: kern security/mac

Mateusz Guzik mjg at FreeBSD.org
Thu Feb 13 22:22:56 UTC 2020 

Author: mjg
Date: Thu Feb 13 22:22:55 2020
New Revision: 357889
URL: https://svnweb.freebsd.org/changeset/base/357889

Log:
  vfs: use mac fastpath for lookup, open, read, write, mmap

Modified:
  head/sys/kern/vfs_lookup.c
  head/sys/security/mac/mac_framework.c
  head/sys/security/mac/mac_framework.h
  head/sys/security/mac/mac_vfs.c

Modified: head/sys/kern/vfs_lookup.c
==============================================================================
--- head/sys/kern/vfs_lookup.c	Thu Feb 13 22:22:15 2020	(r357888)
+++ head/sys/kern/vfs_lookup.c	Thu Feb 13 22:22:55 2020	(r357889)
@@ -932,12 +932,9 @@ dirloop:
 	 */
 unionlookup:
 #ifdef MAC
-	if ((cnp->cn_flags & NOMACCHECK) == 0) {
-		error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp,
-		    cnp);
-		if (error)
-			goto bad;
-	}
+	error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, cnp);
+	if (error)
+		goto bad;
 #endif
 	ndp->ni_dvp = dp;
 	ndp->ni_vp = NULL;

Modified: head/sys/security/mac/mac_framework.c
==============================================================================
--- head/sys/security/mac/mac_framework.c	Thu Feb 13 22:22:15 2020	(r357888)
+++ head/sys/security/mac/mac_framework.c	Thu Feb 13 22:22:55 2020	(r357889)
@@ -125,6 +125,12 @@ bool __read_frequently mac_##f##_fp_flag
 
 FPFLAG(priv_check);
 FPFLAG(priv_grant);
+FPFLAG(vnode_check_lookup);
+FPFLAG(vnode_check_open);
+FPFLAG(vnode_check_stat);
+FPFLAG(vnode_check_read);
+FPFLAG(vnode_check_write);
+FPFLAG(vnode_check_mmap);
 
 #undef FPFLAG
 
@@ -403,6 +409,18 @@ struct mac_policy_fastpath_elem {
 struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
 	{ .offset = FPO(priv_check), .flag = &mac_priv_check_fp_flag },
 	{ .offset = FPO(priv_grant), .flag = &mac_priv_grant_fp_flag },
+	{ .offset = FPO(vnode_check_lookup),
+		.flag = &mac_vnode_check_lookup_fp_flag },
+	{ .offset = FPO(vnode_check_open),
+		.flag = &mac_vnode_check_open_fp_flag },
+	{ .offset = FPO(vnode_check_stat),
+		.flag = &mac_vnode_check_stat_fp_flag },
+	{ .offset = FPO(vnode_check_read),
+		.flag = &mac_vnode_check_read_fp_flag },
+	{ .offset = FPO(vnode_check_write),
+		.flag = &mac_vnode_check_write_fp_flag },
+	{ .offset = FPO(vnode_check_mmap),
+		.flag = &mac_vnode_check_mmap_fp_flag },
 };
 
 static void

Modified: head/sys/security/mac/mac_framework.h
==============================================================================
--- head/sys/security/mac/mac_framework.h	Thu Feb 13 22:22:15 2020	(r357888)
+++ head/sys/security/mac/mac_framework.h	Thu Feb 13 22:22:55 2020	(r357889)
@@ -390,6 +390,12 @@ void	mac_sysvshm_init(struct shmid_kernel *);
 
 void	mac_thread_userret(struct thread *td);
 
+#ifdef DEBUG_VFS_LOCKS
+void	mac_vnode_assert_locked(struct vnode *vp, const char *func);
+#else
+#define mac_vnode_assert_locked(vp, func) do { } while (0)
+#endif
+
 int	mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
 void	mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
 int	mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
@@ -412,18 +418,53 @@ int	mac_vnode_check_link(struct ucred *cred, struct vn
 	    struct vnode *vp, struct componentname *cnp);
 int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace);
-int	mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
+
+int	mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
-int	mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
+extern bool mac_vnode_check_lookup_fp_flag;
+static inline int
+mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
+    struct componentname *cnp)
+{
+
+	mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup");
+	if (__predict_false(mac_vnode_check_lookup_fp_flag))
+                return (mac_vnode_check_lookup_impl(cred, dvp, cnp));
+	return (0);
+}
+
+int	mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,
 	    int flags);
+extern bool mac_vnode_check_mmap_fp_flag;
+static inline int
+mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
+    int flags)
+{
+
+	mac_vnode_assert_locked(vp, "mac_vnode_check_mmap");
+	if (__predict_false(mac_vnode_check_mmap_fp_flag))
+		return (mac_vnode_check_mmap_impl(cred, vp, prot, flags));
+	return (0);
+}
+
+int	mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp,
+	    accmode_t accmode);
+extern bool mac_vnode_check_open_fp_flag;
+static inline int
+mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
+    accmode_t accmode)
+{
+
+	mac_vnode_assert_locked(vp, "mac_vnode_check_open");
+	if (__predict_false(mac_vnode_check_open_fp_flag))
+		return (mac_vnode_check_open_impl(cred, vp, accmode));
+	return (0);
+}
+
 int	mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
 	    int prot);
-int	mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
-	    accmode_t accmode);
 int	mac_vnode_check_poll(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
-int	mac_vnode_check_read(struct ucred *active_cred,
-	    struct ucred *file_cred, struct vnode *vp);
 int	mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
 int	mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
 int	mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
@@ -443,12 +484,51 @@ int	mac_vnode_check_setowner(struct ucred *cred, struc
 	    uid_t uid, gid_t gid);
 int	mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
 	    struct timespec atime, struct timespec mtime);
-int	mac_vnode_check_stat(struct ucred *active_cred,
+
+int	mac_vnode_check_stat_impl(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
+extern bool mac_vnode_check_stat_fp_flag;
+static inline int
+mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct vnode *vp)
+{
+
+	mac_vnode_assert_locked(vp, "mac_vnode_check_stat");
+	if (__predict_false(mac_vnode_check_stat_fp_flag))
+		return (mac_vnode_check_stat_impl(active_cred, file_cred, vp));
+	return (0);
+}
+
+int	mac_vnode_check_read_impl(struct ucred *active_cred,
+	    struct ucred *file_cred, struct vnode *vp);
+extern bool mac_vnode_check_read_fp_flag;
+static inline int
+mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
+    struct vnode *vp)
+{
+
+	mac_vnode_assert_locked(vp, "mac_vnode_check_read");
+	if (__predict_false(mac_vnode_check_read_fp_flag))
+		return (mac_vnode_check_read_impl(active_cred, file_cred, vp));
+	return (0);
+}
+
+int	mac_vnode_check_write_impl(struct ucred *active_cred,
+	    struct ucred *file_cred, struct vnode *vp);
+extern bool mac_vnode_check_write_fp_flag;
+static inline int
+mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
+    struct vnode *vp)
+{
+
+	mac_vnode_assert_locked(vp, "mac_vnode_check_write");
+	if (__predict_false(mac_vnode_check_write_fp_flag))
+		return (mac_vnode_check_write_impl(active_cred, file_cred, vp));
+	return (0);
+}
+
 int	mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
-int	mac_vnode_check_write(struct ucred *active_cred,
-	    struct ucred *file_cred, struct vnode *vp);
 void	mac_vnode_copy_label(struct label *, struct label *);
 void	mac_vnode_init(struct vnode *);
 int	mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,

Modified: head/sys/security/mac/mac_vfs.c
==============================================================================
--- head/sys/security/mac/mac_vfs.c	Thu Feb 13 22:22:15 2020	(r357888)
+++ head/sys/security/mac/mac_vfs.c	Thu Feb 13 22:22:55 2020	(r357889)
@@ -565,13 +565,15 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct uc
     "struct vnode *", "struct componentname *");
 
 int
-mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 	int error;
 
 	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
 
+	if ((cnp->cn_flags & NOMACCHECK) != 0)
+		return (0);
 	MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
 	MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
 
@@ -582,7 +584,7 @@ MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucre
     "int", "int");
 
 int
-mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
+mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,
     int flags)
 {
 	int error;
@@ -629,7 +631,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucre
     "accmode_t");
 
 int
-mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
+mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode)
 {
 	int error;
 
@@ -664,7 +666,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucre
     "struct vnode *");
 
 int
-mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_read_impl(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
@@ -889,7 +891,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucre
     "struct vnode *");
 
 int
-mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
@@ -927,7 +929,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucr
     "struct ucred *", "struct vnode *");
 
 int
-mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_write_impl(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
@@ -1068,3 +1070,12 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, 
 
 	return (0);
 }
+
+#ifdef DEBUG_VFS_LOCKS
+void
+mac_vnode_assert_locked(struct vnode *vp, const char *func)
+{
+
+	ASSERT_VOP_LOCKED(vp, func);
+}
+#endif

More information about the svn-src-all mailing list