diff options
author | Mateusz Guzik <mjg@FreeBSD.org> | 2020-08-05 07:34:45 +0000 |
---|---|---|
committer | Mateusz Guzik <mjg@FreeBSD.org> | 2020-08-05 07:34:45 +0000 |
commit | 18f67bc413e8a4e6b313c023e8612603f1ea17c0 (patch) | |
tree | 70bb3dbe168c9f3054407f1417c7e364e22e0330 /sys/security | |
parent | 158ab70c249a73da0eabea685cffb2615cabed99 (diff) | |
download | src-18f67bc413e8a4e6b313c023e8612603f1ea17c0.tar.gz src-18f67bc413e8a4e6b313c023e8612603f1ea17c0.zip |
vfs: add a cheaper entry for mac_vnode_check_access
Notes
Notes:
svn path=/head/; revision=363886
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.c | 3 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 2 |
3 files changed, 17 insertions, 2 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 41c0779fa78e..60431b020782 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -140,6 +140,7 @@ FPFLAG(vnode_check_write); FPFLAG(vnode_check_mmap); FPFLAG_RARE(vnode_check_poll); FPFLAG_RARE(vnode_check_rename_from); +FPFLAG_RARE(vnode_check_access); #undef FPFLAG #undef FPFLAG_RARE @@ -430,6 +431,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { .flag = &mac_vnode_check_poll_fp_flag }, { .offset = FPO(vnode_check_rename_from), .flag = &mac_vnode_check_rename_from_fp_flag }, + { .offset = FPO(vnode_check_access), + .flag = &mac_vnode_check_access_fp_flag }, }; static void diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 6ae634bd2dfe..70a7aad44757 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -406,8 +406,20 @@ void mac_vnode_assert_locked(struct vnode *vp, const char *func); int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); -int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_access_impl(struct ucred *cred, struct vnode *dvp, accmode_t accmode); +extern bool mac_vnode_check_access_fp_flag; +#define mac_vnode_check_access_enabled() __predict_false(mac_vnode_check_access_fp_flag) +static inline int +mac_vnode_check_access(struct ucred *cred, struct vnode *dvp, + accmode_t accmode) +{ + + mac_vnode_assert_locked(dvp, "mac_vnode_check_access"); + if (mac_vnode_check_access_enabled()) + return (mac_vnode_check_access_impl(cred, dvp, accmode)); + return (0); +} int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 7b8489d48103..ec492ba243e6 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -372,7 +372,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *", "struct vnode *", "accmode_t"); int -mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode) +mac_vnode_check_access_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; |