PERFORCE change 14757 for review

Robert Watson rwatson at freebsd.org
Tue Jul 23 04:06:20 GMT 2002 

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14757

Change 14757 by rwatson at rwatson_paprika on 2002/07/22 21:06:13

	Introduce sysctl/tunable security.mac.cache_fslabel_in_vnode,
	which permits agressive caching of the mount fslabel in vnode
	labels, assuming that no individual label is available.  Since
	we don't permit relabeling the mountpoint fslabel right now,
	enable by default, which will prevent repeated updating of
	a vnode label from the mountpoint when we know the mountpoint
	will never change labels.  In the future if/when we permit
	the relabeling of the mountpoint, this would need to be turned
	off if use of that feature was anticipated.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#187 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#187 (text+ko) ====

@@ -128,6 +128,12 @@
 SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
     &mac_label_size, 0, "Pre-compiled MAC label size");
 
+static int	mac_cache_fslabel_in_vnode = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
+    &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
+TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
+    &mac_cache_fslabel_in_vnode);
+
 static unsigned int	mac_ea_cache_hits = 0;
 SYSCTL_UINT(_security_mac, OID_AUTO, ea_cache_hits, CTLFLAG_RD,
     &mac_ea_cache_hits, 0,
@@ -948,6 +954,9 @@
 
 	MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
 	    &mp->mnt_fslabel);
+
+	if (mac_cache_fslabel_in_vnode)
+		vp->v_flag |= VCACHEDLABEL;
 }
 
 /*
@@ -989,9 +998,7 @@
 
 	case ENOATTR:
 		/*
-		 * Use the label from the mount point.  Since we may want
-		 * to let this label be updated, don't set the caching
-		 * flag.
+		 * Use the label from the mount point.
 		 */
 		mac_update_vnode_from_mount(vp, vp->v_mount);
 		return (0);
@@ -1060,6 +1067,9 @@
 		return (EBADF);
 	}
 
+	if (mac_cache_fslabel_in_vnode)
+		return (0);
+
 	if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
 		mac_update_vnode_from_mount(vp, vp->v_mount);
 		return (0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list