git: 60dae3b83bec - main - mac: cheaper check for mac_pipe_check_read

From: Mateusz Guzik <mjg_at_FreeBSD.org>
Date: Wed, 17 Aug 2022 14:23:50 UTC
The branch main has been updated by mjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=60dae3b83bec5b8fa42c18bd1caaa8b4075167ca

commit 60dae3b83bec5b8fa42c18bd1caaa8b4075167ca
Author:     Mateusz Guzik <mjg@FreeBSD.org>
AuthorDate: 2022-08-08 19:14:09 +0000
Commit:     Mateusz Guzik <mjg@FreeBSD.org>
CommitDate: 2022-08-17 14:21:25 +0000

    mac: cheaper check for mac_pipe_check_read
    
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D36082
---
 sys/security/mac/mac_framework.c |  3 +++
 sys/security/mac/mac_framework.h | 17 ++++++++++++++++-
 sys/security/mac/mac_pipe.c      |  2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index e773a3840464..8fc67f6c1b85 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -145,6 +145,7 @@ FPFLAG_RARE(vnode_check_access);
 FPFLAG_RARE(vnode_check_readlink);
 FPFLAG_RARE(pipe_check_stat);
 FPFLAG_RARE(pipe_check_poll);
+FPFLAG_RARE(pipe_check_read);
 FPFLAG_RARE(ifnet_create_mbuf);
 FPFLAG_RARE(ifnet_check_transmit);
 
@@ -447,6 +448,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
 		.flag = &mac_pipe_check_stat_fp_flag },
 	{ .offset = FPO(pipe_check_poll),
 		.flag = &mac_pipe_check_poll_fp_flag },
+	{ .offset = FPO(pipe_check_read),
+		.flag = &mac_pipe_check_read_fp_flag },
 	{ .offset = FPO(ifnet_create_mbuf),
 		.flag = &mac_ifnet_create_mbuf_fp_flag },
 	{ .offset = FPO(ifnet_check_transmit),
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 51dbcf909cc4..31951c97a69e 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -271,7 +271,22 @@ extern bool mac_pipe_check_stat_fp_flag;
 #endif
 #define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag)
 int	mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);
-int	mac_pipe_check_read(struct ucred *cred, struct pipepair *pp);
+int	mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp);
+#ifdef MAC
+extern bool mac_pipe_check_read_fp_flag;
+#else
+#define mac_pipe_check_read_fp_flag false
+#endif
+#define mac_pipe_check_read_enabled() __predict_false(mac_pipe_check_read_fp_flag)
+static inline int
+mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
+{
+
+	if (mac_pipe_check_read_enabled())
+		return (mac_pipe_check_read_impl(cred, pp));
+	return (0);
+}
+
 int	mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);
 void	mac_pipe_create(struct ucred *cred, struct pipepair *pp);
 void	mac_pipe_destroy(struct pipepair *);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 799801905d54..e58bcd9166e1 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -179,7 +179,7 @@ MAC_CHECK_PROBE_DEFINE2(pipe_check_read, "struct ucred *",
     "struct pipepair *");
 
 int
-mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
+mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp)
 {
 	int error;