upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit

Browse source 
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Mateusz Guzik 2021-06-29 14:56:19 +02:00
parent 372691a7ae
commit f77697dd9f
3 changed files with 40 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
sys/security/mac/mac_framework.c
View file

@ -145,6 +145,8 @@ FPFLAG_RARE(vnode_check_access);
FPFLAG_RARE(vnode_check_readlink);
FPFLAG_RARE(pipe_check_stat);
FPFLAG_RARE(pipe_check_poll);
FPFLAG_RARE(ifnet_create_mbuf);
FPFLAG_RARE(ifnet_check_transmit);
#undef FPFLAG
#undef FPFLAG_RARE
@ -445,6 +447,10 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
.flag = &mac_pipe_check_stat_fp_flag },
{ .offset = FPO(pipe_check_poll),
.flag = &mac_pipe_check_poll_fp_flag },
{ .offset = FPO(ifnet_create_mbuf),
.flag = &mac_ifnet_create_mbuf_fp_flag },
{ .offset = FPO(ifnet_check_transmit),
.flag = &mac_ifnet_check_transmit_fp_flag },
};
static void

34
sys/security/mac/mac_framework.h
View file

@ -143,9 +143,39 @@ void mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp);
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
int mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m);
#ifdef MAC
extern bool mac_ifnet_check_transmit_fp_flag;
#else
#define mac_ifnet_check_transmit_fp_flag 0
#endif
#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag)
static inline int
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
{
if (mac_ifnet_check_transmit_enabled())
return (mac_ifnet_check_transmit_impl(ifp, m));
return (0);
}
void mac_ifnet_create(struct ifnet *ifp);
void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
void mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m);
#ifdef MAC
extern bool mac_ifnet_create_mbuf_fp_flag;
#else
#define mac_ifnet_create_mbuf_fp_flag 0
#endif
#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag)
static inline void
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
{
if (mac_ifnet_create_mbuf_enabled())
mac_ifnet_create_mbuf_impl(ifp, m);
}
void mac_ifnet_destroy(struct ifnet *);
void mac_ifnet_init(struct ifnet *);
int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,

10
sys/security/mac/mac_net.c
View file

@ -337,14 +337,11 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
}
void
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int locked;
if (mac_policy_count == 0)
return;
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp, locked);
@ -380,16 +377,13 @@ MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *",
"struct mbuf *");
int
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int error, locked;
M_ASSERTPKTHDR(m);
if (mac_policy_count == 0)
return (0);
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp, locked);