diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 1806e4a15b10..6a36b6bbdd02 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -78,7 +78,7 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include +#include #include #include #include @@ -165,7 +165,7 @@ MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); * * The dynamic policy list is protected by two locks: modifying the list * requires both locks to be held exclusively. One of the locks, - * mac_policy_rw, is acquired over policy entry points that will never sleep; + * mac_policy_rm, is acquired over policy entry points that will never sleep; * the other, mac_policy_sx, is acquire over policy entry points that may * sleep. The former category will be used when kernel locks may be held * over calls to the MAC Framework, during network processing in ithreads, @@ -173,7 +173,7 @@ MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); * allocations, extended attribute I/O, etc. */ #ifndef MAC_STATIC -static struct rwlock mac_policy_rw; /* Non-sleeping entry points. */ +static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ static struct sx mac_policy_sx; /* Sleeping entry points. */ #endif @@ -185,14 +185,14 @@ static void mac_policy_xlock_assert(void); static void mac_policy_xunlock(void); void -mac_policy_slock_nosleep(void) +mac_policy_slock_nosleep(struct rm_priotracker *tracker) { #ifndef MAC_STATIC if (!mac_late) return; - rw_rlock(&mac_policy_rw); + rm_rlock(&mac_policy_rm, tracker); #endif } @@ -212,14 +212,14 @@ mac_policy_slock_sleep(void) } void -mac_policy_sunlock_nosleep(void) +mac_policy_sunlock_nosleep(struct rm_priotracker *tracker) { #ifndef MAC_STATIC if (!mac_late) return; - rw_runlock(&mac_policy_rw); + rm_runlock(&mac_policy_rm, tracker); #endif } @@ -247,7 +247,7 @@ mac_policy_xlock(void) return; sx_xlock(&mac_policy_sx); - rw_wlock(&mac_policy_rw); + rm_wlock(&mac_policy_rm); #endif } @@ -259,7 +259,7 @@ mac_policy_xunlock(void) if (!mac_late) return; - rw_wunlock(&mac_policy_rw); + rm_wunlock(&mac_policy_rm); sx_xunlock(&mac_policy_sx); #endif } @@ -272,7 +272,7 @@ mac_policy_xlock_assert(void) if (!mac_late) return; - rw_assert(&mac_policy_rw, RA_WLOCKED); + /* XXXRW: rm_assert(&mac_policy_rm, RA_WLOCKED); */ sx_assert(&mac_policy_sx, SA_XLOCKED); #endif } @@ -289,7 +289,7 @@ mac_init(void) mac_labelzone_init(); #ifndef MAC_STATIC - rw_init(&mac_policy_rw, "mac_policy_rw"); + rm_init(&mac_policy_rm, "mac_policy_rm", 0); sx_init(&mac_policy_sx, "mac_policy_sx"); #endif } diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 5099e971f353..45bd52459d40 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -55,6 +55,9 @@ #error "no user-serviceable parts inside" #endif +#include +#include + /* * MAC Framework sysctl namespace. */ @@ -194,9 +197,9 @@ extern struct mtx mac_ifnet_mtx; */ int mac_error_select(int error1, int error2); -void mac_policy_slock_nosleep(void); +void mac_policy_slock_nosleep(struct rm_priotracker *tracker); void mac_policy_slock_sleep(void); -void mac_policy_sunlock_nosleep(void); +void mac_policy_sunlock_nosleep(struct rm_priotracker *tracker); void mac_policy_sunlock_sleep(void); struct label *mac_labelzone_alloc(int flags); @@ -294,14 +297,16 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, error); \ } \ if (!LIST_EMPTY(&mac_policy_list)) { \ - mac_policy_slock_nosleep(); \ + struct rm_priotracker tracker; \ + \ + mac_policy_slock_nosleep(&tracker); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) \ error = mac_error_select( \ mpc->mpc_ops->mpo_ ## check (args), \ error); \ } \ - mac_policy_sunlock_nosleep(); \ + mac_policy_sunlock_nosleep(&tracker); \ } \ } while (0) @@ -323,7 +328,9 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, } \ } \ if (!LIST_EMPTY(&mac_policy_list)) { \ - mac_policy_slock_nosleep(); \ + struct rm_priotracker tracker; \ + \ + mac_policy_slock_nosleep(&tracker); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## check != NULL) { \ if (mpc->mpc_ops->mpo_ ## check (args) \ @@ -331,7 +338,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, error = 0; \ } \ } \ - mac_policy_sunlock_nosleep(); \ + mac_policy_sunlock_nosleep(&tracker); \ } \ } while (0) @@ -371,14 +378,16 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, mpc->mpc_ops->mpo_ ## operation (args); \ } \ if (!LIST_EMPTY(&mac_policy_list)) { \ - mac_policy_slock_nosleep(); \ + struct rm_priotracker tracker; \ + \ + mac_policy_slock_nosleep(&tracker); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ result = result composition \ mpc->mpc_ops->mpo_ ## operation \ (args); \ } \ - mac_policy_sunlock_nosleep(); \ + mac_policy_sunlock_nosleep(&tracker); \ } \ } while (0) @@ -492,12 +501,14 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, mpc->mpc_ops->mpo_ ## operation (args); \ } \ if (!LIST_EMPTY(&mac_policy_list)) { \ - mac_policy_slock_nosleep(); \ + struct rm_priotracker tracker; \ + \ + mac_policy_slock_nosleep(&tracker); \ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ if (mpc->mpc_ops->mpo_ ## operation != NULL) \ mpc->mpc_ops->mpo_ ## operation (args); \ } \ - mac_policy_sunlock_nosleep(); \ + mac_policy_sunlock_nosleep(&tracker); \ } \ } while (0)