Commit Graph

149 Commits

Author SHA1 Message Date
Robert Watson
e33d9f2929 Define BPFD_LOCK_ASSERT() to assert the BPF descriptor lock.
Assert the BPF descriptor lock in the MAC calls referencing live
BPF descriptors.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-29 15:33:56 +00:00
Robert Watson
f97e834b02 Forward declare struct proc, struct sockaddr, and struct thread, which
are employed in entry points later in the same include file.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory, McAfee Research
2004-02-26 20:44:50 +00:00
Robert Watson
f47cb88655 Forward declare struct bpf_d, struct ifnet, struct image_params, and
struct vattr in mac_policy.h.  This permits policies not
implementing entry points using these types to compile without
including include files with these types.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory
2004-02-26 16:15:14 +00:00
Robert Watson
c66b4d8d26 Move inet and inet6 related MAC Framework entry points from mac_net.c
to a new mac_inet.c.  This code is now conditionally compiled based
on inet support being compiled into the kernel.

Move socket related MAC Framework entry points from mac_net.c to a new
mac_socket.c.

To do this, some additional _enforce MIB variables are now non-static.
In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
Pawel Jakub Dawidek
63dba32b76 Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by:	rwatson
Approved by:	rwatson, scottl (mentor)
Tested with:	LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
Robert Watson
f6a4109212 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
Robert Watson
4795b82c13 Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.

- Create a new "struct pipepair" object holding the two 'struct
  pipe' instances, struct mutex, and struct label reference.  Pipe
  structures now have a back-pointer to the pipe pair, and a
  'pipe_present' flag to indicate whether the half has been
  closed.

- Perform mutex init/destroy in zone init/destroy, avoiding
  reallocating the mutex for each pipe.  Perform most pipe structure
  setup in zone constructor.

- VM memory mappings for pageable buffers are still done outside of
  the UMA zone.

- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
  update many policies.  MAC labels are also handled outside of the
  UMA zone for now.  Label-only policy modules don't have to be
  recompiled, but if a module is recompiled, its pipe entry points
  will need to be updated.  If a module actually reached into the
  pipe structures (unlikely), that would also need to be modified.

These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.

On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place.  However, VM mapped buffers
are still released on half-close.

Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).

This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.

Reviewed by:	juli, tjr
Testing help:	dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
Robert Watson
2d92ec9858 Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label.  This avoids reaching up to
the socket layer during connection close, which requires locking
changes.  To do this, introduce MAC Framework entry point
mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
instead of calling mac_create_mbuf_from_socket() or
mac_create_mbuf_netlayer().  Introduce MAC Policy entry point
mpo_create_mbuf_from_inpcb(), and implementations for various
policies, which generally just copy label data from the inpcb to
the mbuf.  Assert the inpcb lock in the entry point since we
require consistency for the inpcb label reference.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-17 14:55:11 +00:00
Robert Watson
56d9e93207 Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-06 21:48:03 +00:00
Robert Watson
a557af222b Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
Robert Watson
b0323ea3aa Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons.  When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.

- Create mac_copy_socket_label() entry point based on
  mac_copy_pipe_label() entry point, intended to copy the socket
  label into temporary storage that doesn't require a socket lock
  to be held (currently Giant).

- Implement mac_copy_socket_label() for various policies.

- Expose socket label allocation, free, internalize, externalize
  entry points as non-static from mac_net.c.

- Use mac_socket_label_set() in __mac_set_fd().

MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
Robert Watson
920325ee1d Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL.  This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application.  Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().

Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions.  Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.

NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:18:24 +00:00
Robert Watson
c9ea2dcf62 Abstract the label checking and setting logic from
mac_setsockopt_label() into mac_socket_label_set(); make it non-static
so that it can be invoked from kern_mac.c for mac_set_fd().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:01:50 +00:00
Robert Watson
9e71dd0feb Reduce gratuitous redundancy and length in function names:
mac_setsockopt_label_set() -> mac_setsockopt_label()
  mac_getsockopt_label_get() -> mac_getsockopt_label()
  mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 18:25:20 +00:00
Robert Watson
5d9d409ca9 Whitespace fix. 2003-11-16 03:17:30 +00:00
Bruce Evans
57f253a4c6 Reduced prequisites by only using MALLOC_DECLARE() if it is defined.
This fixes a dependency of mac_label.c on namespace pollution in
<vm/uma.h>.

Similarly for SYSCTL_DECL() although I had no problems with it.  This
probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
Robert Watson
f0ab044241 Mark __mac_get_pid() as MPSAFE in the comment, as it runs without
Giant and is also MPSAFE.

Push Giant further down into __mac_get_fd() and __mac_set_fd(),
grabbing it only for constrained regions dealing with VFS, and
dropping it entirely for operations related to labeling of pipes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-12 22:19:15 +00:00
Robert Watson
39fc5d480d GC prototype for mac_destroy_vnode_label(), missed in last commit. 2003-11-12 03:33:43 +00:00
Robert Watson
eca8a663d4 Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c).  This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE.  This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time.  This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change.  Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from:	bmilekic
Obtained from:		TrustedBSD Project
Sponsored by:		DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
Robert Watson
c8e7bf92ad Whitespace sync to MAC branch, expand comment at the head of the file. 2003-11-11 03:40:04 +00:00
Robert Watson
bea2b56b26 When allocation of a socket peer label fails, scrub what was
successfully initialized in the label as a socket peer label, not a
socket label.  For current policy modules, this didn't make a
difference, but if a policy module had label data in the peer label
that was to be GC'd in a different way than the normal socket label,
it might have been a problem.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-07 22:31:27 +00:00
Robert Watson
55b13f8d2d Trim trailing whitespace. 2003-11-07 04:48:24 +00:00
Robert Watson
83b7b0edca Remove the flags argument from mac_externalize_*_label(), as it's not
passed into policies or used internally to the MAC Framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
Robert Watson
da77b2fa6b Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object
type, rather than "object_label" as the first argument.  This reduces
complexity a little for the consumer, and also makes it easier for
use to rename the underlying entry points in struct mac_policy_obj.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-25 15:28:20 +00:00
Robert Watson
138f64b698 Sort type declarations together.
Remove an excess carriage return.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-25 03:50:44 +00:00
Robert Watson
6fa0475d95 mac_Finish break-out of kern_mac.c into parts:
Include src/sys/security/mac/mac_internal.h in kern_mac.c.

  Remove redundant defines from the include: SYSCTL_DECL(), debug macros,
    composition macros.

  Unstaticize various bits now exposed to the remainder of the kernel:
    mac_init_label(), mac_destroy_label().

  Remove all the functions now implemented in mac_process/mac_vfs/mac_net/
    mac_pipe.  Also remove debug counters, sysctls exporting debug
    counters, enforcement flags, sysctls exporting enforcement flags.

  Leave module declaration, sysctl nodes, mactemp malloc type, system
    calls.

This should conclude MAC/LINT/NOTES breakage from the break-out process,
but I'm running builds now to make sure I caught everything.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:59:31 +00:00
Robert Watson
089c1bdac9 Variable cleanup following break-out of kern_mac.c into sys/security/mac:
Unstaticize mac_late.
  Remove ea_warn_once, now in mac_vfs.c.
  Unstaticisize mac_policy_list, mac_static_policy_list, use
    struct mac_policy_list_head instead of LIST_HEAD() directly.
  Unstaticize and un-inline MAC policy locking functions so they can
    be referenced from mac_*.c.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:47:41 +00:00
Robert Watson
9e7bf51ca8 Rename error_select() to mac_error_select(), and unstaticize so it
can be used from src/sys/security/mac/mac_*.c.

Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories
2003-10-22 20:42:22 +00:00
Robert Watson
6cc24dcbb4 Remove non-VFS related code from mac_vfs.c. Leave:
Extended attribute transaction warning flag if transactions aren't
  supported on the EA implementation being used.

  Debug fallback flag to permit a less conservative fallback if reading
  an on-disk label fails.

  Enforce_fs toggle to enforce file systme access control.

  Debugging counters for file system objects: mounts, vnodes, devfs_dirents.

  Object initialization, destruction, copying, internalization,
  externalization, relabeling for file system objects.

  Life cycle operations for devfs entries.

  Generic extended attribute label implementation for use by UFS, UFS2 in
  multilabel mode.

  Generic single-level label implementation for use by all file systems
  when in singlelabel mode.

  Exec-time transition based on file label entry points.

  Vnode operation access control checks (many).

  Mount operation access control checks (few).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Robert Watson
6bd1173258 Remove non-system bits from mac_system.c. Leave:
Enforce_kld, enforce_system access control toggles.
  Access control checks for: kenv operation, kld operations,
    sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(),
    swapoff(), sysctl().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
Robert Watson
5a9c1aaac5 Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
  Credential, process label counters.
  VM revocation sysctls/tunables.
  Credential label management, internalization/externalization/relabel
    code.
  Process label management.
  Proc0, proc1 creation, cred creation.
  Thread userret.
  mac_execve_enter(), _exit(), transition at exec-time.
  VM revocation on process label change.
  Process-related access control checks (visibility, debug, signal, sched).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
Robert Watson
73275908f7 Remove non-pipe code from mac_pipe.c. Leave:
Pipe enforcement flag.
  Pipe object debugging counters.
  MALLOC type for MAC label storage.
  Pipe MAC label management routines, externalize/internalization/change
    routines.
  Pipe MAC access control checks.

Un-staticize functions called from mac_set_fd() when operating on a
pipe.  Abstraction improvements in this space seem likely.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 19:31:57 +00:00
Robert Watson
28e65e3d2b Remove non-network related contents from mac_net.c. Leave:
Network and socket enforcement toggles.
  Counters for network objects (mbufs, ifnets, bpfdecs, sockets, and ipqs).
  Label management routines for network objects.
  Life cycle events for network objects.
  Label internalization/externalization/relabel for ifnets, sockets,
    including ioctl implementations for sockets, ifnets.
  Access control checks relating to network obejcts.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 19:15:34 +00:00
Robert Watson
86ea834c58 The following shared types/constants/interfaces/... are required
in mac_internal.h:

  Sysctl tree declarations.

  Policy list structure definition.

  Policy list variables (static, dynamic).

  mac_late flag.

  Enforcement flags for process, vm, which have checks in multiple files.

  mac_labelmbufs variable to drive conditional mbuf labeling.

  M_MACTEMP malloc type.

  Debugging counter macros.

  MAC Framework infrastructure primitives, including policy locking
    primitives, kernel label initialization/destruction, userland
    label consistency checks, policy slot allocation.

  Per-object interfaces for objects that are internalized and externalized
    using system calls that will remain centrally defined: credentials,
    pipes, vnodes.

  MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE,
    MAC_INTERNALIZE, MAC_PERFORM.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
Robert Watson
6b66d5bb4b Use __BEGIN_DECLS and __END_DECLS around userland function prototypes
so that mac.h may be more safely included in userland C++ applications.

PR:		bin/56595
Submitted by:	"KONDOU, Kazuhiro" <kazuhiro@alib.jp>
2003-10-02 03:07:51 +00:00
Robert Watson
cc7b13bfe0 If the struct mac copied into the kernel has a negative length, return
EINVAL rather than failing the following malloc due to the value being
too large.
2003-09-29 18:35:17 +00:00
Robert Watson
953222e210 Remove extra tabs indenting MAC library calls; they were there to
line up the function names in an earlier generation of the API when
some of the functions returned structure pointers.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-29 02:43:57 +00:00
Robert Watson
a6a65b05d5 Fix a mac_policy_list reference to be a mac_static_policy_list
reference: this fixes mac_syscall() for static policies when using
optimized locking.

Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories
2003-08-26 17:29:02 +00:00
Robert Watson
930d4ffa56 Make the elements argument to mac_prepare() be const.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-22 17:49:59 +00:00
Robert Watson
6139aaa8df Add prototype for new libc function mac_prepare_type().
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-22 17:39:39 +00:00
Robert Watson
eb8c7f9992 Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp()
  mac_reflect_mbuf_tcp()

These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket.  For example, in respond to a ping or a RST
packet to a SYN on a closed port.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 18:21:22 +00:00
Robert Watson
c096756c00 Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():
explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks.  This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.

Obtained from:	TrustedBSD PRoject
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 13:53:01 +00:00
Robert Watson
8d8d5ea8f2 Remove about 40 lines of #ifdef/#endif by using new macros
MAC_DEBUG_COUNTER_INC() and MAC_DEBUG_COUNTER_DEC() to maintain
debugging counter values rather than #ifdef'ing the atomic
operations to MAC_DEBUG.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-20 19:16:49 +00:00
Robert Watson
19c3e120f0 Attempt to simplify #ifdef logic for MAC_ALWAYS_LABEL_MBUF.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-01 15:45:14 +00:00
Robert Watson
f51e58036e Redesign the externalization APIs from the MAC Framework to
the MAC policy modules to improve robustness against C string
bugs and vulnerabilities.  Following these revisions, all
string construction of labels for export to userspace (or
elsewhere) is performed using the sbuf API, which prevents
the consumer from having to perform laborious and intricate
pointer and buffer checks.  This substantially simplifies
the externalization logic, both at the MAC Framework level,
and in individual policies; this becomes especially useful
when policies export more complex label data, such as with
compartments in Biba and MLS.

Bundled in here are some other minor fixes associated with
externalization: including avoiding malloc while holding the
process mutex in mac_lomac, and hence avoid a failure mode
when printing labels during a downgrade operation due to
the removal of the M_NOWAIT case.

This has been running in the MAC development tree for about
three weeks without problems.

Obtained from:	TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
Robert Watson
16fd30bd2a Forward declare a boatload of structures referenced in the MAC
policy definition structure; this permits policies to reduce their
number of gratuitous includes for required for entry points they
don't implement.  This also facilitates building the MAC Framework
on Darwin.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-06-22 16:36:00 +00:00
Poul-Henning Kamp
3b6d965263 Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for
stuff like the f*() functions.

By giving the vnode a speparate field, a number of checks for the specific
subtype can be replaced simply with a check for f_vnode != NULL, and
we can later free f_data up to subtype specific use.

At this point in time, f_data still points to the vnode, so any code I
might have overlooked will still work.
2003-06-22 08:41:43 +00:00
David E. O'Brien
677b542ea2 Use __FBSDID(). 2003-06-11 00:56:59 +00:00
Robert Watson
b2aef57123 Rename MAC_MAX_POLICIES to MAC_MAX_SLOTS, since the variables and
constants in question refer to the number of label slots, not the
maximum number of policies that may be loaded.  This should reduce
confusion regarding an element in the MAC sysctl MIB, as well as
make it more clear what the affect of changing the compile-time
constants is.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-05-08 19:49:42 +00:00
Robert Watson
41a17fe326 Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt
    to avoid treating them as mutexes.  This cleans up locking
    accessor function names some.

(2) Rename variables to _mtx, _cv, _count, simplifying the naming.

(3) Add a new form of the _busy() primitive that conditionally
    makes the list busy: if there are entries on the list, bump
    the busy count.  If there are no entries, don't bump the busy
    count.  Return a boolean indicating whether or not the busy
    count was bumped.

(4) Break mac_policy_list into two lists: one with the same name
    holding dynamic policies, and a new list, mac_static_policy_list,
    which holds policies loaded before mac_late and without the
    unload flag set.  The static list may be accessed without
    holding the busy count, since it can't change at run-time.

(5) In general, prefer making the list busy conditionally, meaning
    we pay only one mutex lock per entry point if all modules are
    on the static list, rather than two (since we don't have to
    lower the busy count when we're done with the framework).  For
    systems running just Biba or MLS, this will halve the mutex
    accesses in the network stack, and may offer a substantial
    performance benefits.

(6) Lay the groundwork for a dynamic-free kernel option which
    eliminates all locking associated with dynamically loaded or
    unloaded policies, for pre-configured systems requiring
    maximum performance but less run-time flexibility.

These changes have been running for a few weeks on MAC development
branch systems.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00