git: f77697dd9f31 - main - mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit

Mateusz Guzik mjg at FreeBSD.org
Tue Jun 29 14:26:43 UTC 2021 

The branch main has been updated by mjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=f77697dd9f31df85cd86370888606c81833f7c8a

commit f77697dd9f31df85cd86370888606c81833f7c8a
Author:     Mateusz Guzik <mjg at FreeBSD.org>
AuthorDate: 2021-06-29 12:56:19 +0000
Commit:     Mateusz Guzik <mjg at FreeBSD.org>
CommitDate: 2021-06-29 13:06:45 +0000

    mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/security/mac/mac_framework.c |  6 ++++++
 sys/security/mac/mac_framework.h | 34 ++++++++++++++++++++++++++++++++--
 sys/security/mac/mac_net.c       | 10 ++--------
 3 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index f0b4f89db7ca..e773a3840464 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -145,6 +145,8 @@ FPFLAG_RARE(vnode_check_access);
 FPFLAG_RARE(vnode_check_readlink);
 FPFLAG_RARE(pipe_check_stat);
 FPFLAG_RARE(pipe_check_poll);
+FPFLAG_RARE(ifnet_create_mbuf);
+FPFLAG_RARE(ifnet_check_transmit);
 
 #undef FPFLAG
 #undef FPFLAG_RARE
@@ -445,6 +447,10 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
 		.flag = &mac_pipe_check_stat_fp_flag },
 	{ .offset = FPO(pipe_check_poll),
 		.flag = &mac_pipe_check_poll_fp_flag },
+	{ .offset = FPO(ifnet_create_mbuf),
+		.flag = &mac_ifnet_create_mbuf_fp_flag },
+	{ .offset = FPO(ifnet_check_transmit),
+		.flag = &mac_ifnet_check_transmit_fp_flag },
 };
 
 static void
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 481f90a04801..7a46fbedb28d 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -143,9 +143,39 @@ void	mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
 void	mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 
-int	mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
+int	mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m);
+#ifdef MAC
+extern bool mac_ifnet_check_transmit_fp_flag;
+#else
+#define mac_ifnet_check_transmit_fp_flag 0
+#endif
+#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag)
+static inline int
+mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
+{
+
+	if (mac_ifnet_check_transmit_enabled())
+		return (mac_ifnet_check_transmit_impl(ifp, m));
+	return (0);
+}
+
 void	mac_ifnet_create(struct ifnet *ifp);
-void	mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
+
+void	mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m);
+#ifdef MAC
+extern bool mac_ifnet_create_mbuf_fp_flag;
+#else
+#define mac_ifnet_create_mbuf_fp_flag 0
+#endif
+#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag)
+static inline void
+mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
+{
+
+	if (mac_ifnet_create_mbuf_enabled())
+		mac_ifnet_create_mbuf_impl(ifp, m);
+}
+
 void	mac_ifnet_destroy(struct ifnet *);
 void	mac_ifnet_init(struct ifnet *);
 int	mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 161040edf84f..372619c7b583 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -337,14 +337,11 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
 }
 
 void
-mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 	int locked;
 
-	if (mac_policy_count == 0)
-		return;
-
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);
@@ -380,16 +377,13 @@ MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *",
     "struct mbuf *");
 
 int
-mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 	int error, locked;
 
 	M_ASSERTPKTHDR(m);
 
-	if (mac_policy_count == 0)
-		return (0);
-
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp, locked);

More information about the dev-commits-src-main mailing list