git: 60dae3b83bec - main - mac: cheaper check for mac_pipe_check_read
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Aug 2022 14:23:50 UTC
The branch main has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=60dae3b83bec5b8fa42c18bd1caaa8b4075167ca commit 60dae3b83bec5b8fa42c18bd1caaa8b4075167ca Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2022-08-08 19:14:09 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2022-08-17 14:21:25 +0000 mac: cheaper check for mac_pipe_check_read Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D36082 --- sys/security/mac/mac_framework.c | 3 +++ sys/security/mac/mac_framework.h | 17 ++++++++++++++++- sys/security/mac/mac_pipe.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index e773a3840464..8fc67f6c1b85 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -145,6 +145,7 @@ FPFLAG_RARE(vnode_check_access); FPFLAG_RARE(vnode_check_readlink); FPFLAG_RARE(pipe_check_stat); FPFLAG_RARE(pipe_check_poll); +FPFLAG_RARE(pipe_check_read); FPFLAG_RARE(ifnet_create_mbuf); FPFLAG_RARE(ifnet_check_transmit); @@ -447,6 +448,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { .flag = &mac_pipe_check_stat_fp_flag }, { .offset = FPO(pipe_check_poll), .flag = &mac_pipe_check_poll_fp_flag }, + { .offset = FPO(pipe_check_read), + .flag = &mac_pipe_check_read_fp_flag }, { .offset = FPO(ifnet_create_mbuf), .flag = &mac_ifnet_create_mbuf_fp_flag }, { .offset = FPO(ifnet_check_transmit), diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 51dbcf909cc4..31951c97a69e 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -271,7 +271,22 @@ extern bool mac_pipe_check_stat_fp_flag; #endif #define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag) int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); -int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp); +#ifdef MAC +extern bool mac_pipe_check_read_fp_flag; +#else +#define mac_pipe_check_read_fp_flag false +#endif +#define mac_pipe_check_read_enabled() __predict_false(mac_pipe_check_read_fp_flag) +static inline int +mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) +{ + + if (mac_pipe_check_read_enabled()) + return (mac_pipe_check_read_impl(cred, pp)); + return (0); +} + int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); void mac_pipe_create(struct ucred *cred, struct pipepair *pp); void mac_pipe_destroy(struct pipepair *); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 799801905d54..e58bcd9166e1 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -179,7 +179,7 @@ MAC_CHECK_PROBE_DEFINE2(pipe_check_read, "struct ucred *", "struct pipepair *"); int -mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp) { int error;