diff options
| author | Mateusz Guzik <mjg@FreeBSD.org> | 2020-07-16 14:09:18 +0000 |
|---|---|---|
| committer | Mateusz Guzik <mjg@FreeBSD.org> | 2020-07-16 14:09:18 +0000 |
| commit | 3ea3fbe685e0c7858c0bf5f4d29714b8fbbe69a1 (patch) | |
| tree | a55901dc70808197ffa3781710705b224bdfb1c5 /sys/security | |
| parent | f2ed697e732b41820df6cf9e94bdc45b61bd1efc (diff) | |
| download | src-3ea3fbe685e0c7858c0bf5f4d29714b8fbbe69a1.tar.gz src-3ea3fbe685e0c7858c0bf5f4d29714b8fbbe69a1.zip | |
vfs: fix vn_poll performance with either MAC or AUDIT
The code would unconditionally lock the vnode to audit or call the
mac hoook, even if neither want to do anything. Pre-check the state
to avoid locking in the common case of nothing to do.
Note this code should not be normally executed anyway as vnodes are
always return ready. However, poll1/2 from will-it-scale use regular
files for benchmarking, presumably to focus on the interface itself
as the vnode handler is not supposed to do almost anything.
This in particular fixes poll2 which passes 128 fds.
$ ./poll2_processes -s 10
before: 134411
after: 271572
Notes
Notes:
svn path=/head/; revision=363249
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 4 |
2 files changed, 16 insertions, 1 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 91f4701737fe..aea3789d572f 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -118,11 +118,18 @@ SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, ""); /* - * Flags for inlined checks. + * Flags for inlined checks. Note this would be best hotpatched at runtime. + * The following is a band-aid. + * + * Use FPFLAG for hooks running in commonly executed paths and FPFLAG_RARE + * for the rest. */ #define FPFLAG(f) \ bool __read_frequently mac_##f##_fp_flag +#define FPFLAG_RARE(f) \ +bool __read_mostly mac_##f##_fp_flag + FPFLAG(priv_check); FPFLAG(priv_grant); FPFLAG(vnode_check_lookup); @@ -131,8 +138,10 @@ FPFLAG(vnode_check_stat); FPFLAG(vnode_check_read); FPFLAG(vnode_check_write); FPFLAG(vnode_check_mmap); +FPFLAG_RARE(vnode_check_poll); #undef FPFLAG +#undef FPFLAG_RARE /* * Labels consist of a indexed set of "slots", which are allocated policies @@ -416,6 +425,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { .flag = &mac_vnode_check_write_fp_flag }, { .offset = FPO(vnode_check_mmap), .flag = &mac_vnode_check_mmap_fp_flag }, + { .offset = FPO(vnode_check_poll), + .flag = &mac_vnode_check_poll_fp_flag }, }; static void diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 866ada8ee6e8..1ab82dd709d4 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -463,10 +463,14 @@ mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); + +#define mac_vnode_check_poll_enabled() __predict_false(mac_vnode_check_poll_fp_flag) #ifdef MAC +extern bool mac_vnode_check_poll_fp_flag; int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); #else +#define mac_vnode_check_poll_fp_flag 0 static inline int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) |