freebsd-nq/sys/security
Robert Watson 5c95417dad When MAC is enabled and a policy module is loaded, don't unconditionally
lock mac_ifnet_mtx, which protects labels on struct ifnet, unless at least
one policy is actively using labels on ifnets.  This avoids a global mutex
acquire in certain fast paths -- most noticeably ifnet transmit.  This was
previously invisible by default, as no MAC policies were loaded by default,
but recently became visible due to mac_ntpd being enabled by default.

gallatin@ reports a reduction in PPS overhead from 300% to 2.2% with this
change.  We will want to explore further MAC Framework optimisation to
reduce overhead further, but this brings things more back into the world
of the sane.

MFC after:	3 days
2019-05-03 20:38:43 +00:00
..
audit Create new EINTEGRITY error with message "Integrity check failed". 2019-01-17 06:35:45 +00:00
mac When MAC is enabled and a policy module is loaded, don't unconditionally 2019-05-03 20:38:43 +00:00
mac_biba
mac_bsdextended Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
mac_ifoff
mac_lomac Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
mac_mls
mac_none
mac_ntpd Make it possible to run ntpd as a non-root user, add ntpd uid and gid. 2018-07-19 23:55:29 +00:00
mac_partition Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
mac_portacl Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
mac_seeotheruids Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
mac_stub
mac_test
mac_veriexec Add mpo_vnode_check_setmode MAC method to MAC/veriexec. 2018-07-14 17:21:16 +00:00
mac_veriexec_parser Create kernel module to parse Veriexec manifest based on envs 2019-04-03 03:57:37 +00:00