From 3b5abfd5ec2d8bc7502c7253ec33dded06d8f10c Mon Sep 17 00:00:00 2001
From: mjg <mjg@FreeBSD.org>
Date: Wed, 5 Aug 2020 07:34:45 +0000
Subject: [PATCH] vfs: add a cheaper entry for mac_vnode_check_access

---
 sys/security/mac/mac_framework.c |  3 +++
 sys/security/mac/mac_framework.h | 14 +++++++++++++-
 sys/security/mac/mac_vfs.c       |  2 +-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 41c0779fa78e..60431b020782 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -140,6 +140,7 @@ FPFLAG(vnode_check_write);
 FPFLAG(vnode_check_mmap);
 FPFLAG_RARE(vnode_check_poll);
 FPFLAG_RARE(vnode_check_rename_from);
+FPFLAG_RARE(vnode_check_access);
 
 #undef FPFLAG
 #undef FPFLAG_RARE
@@ -430,6 +431,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
 		.flag = &mac_vnode_check_poll_fp_flag },
 	{ .offset = FPO(vnode_check_rename_from),
 		.flag = &mac_vnode_check_rename_from_fp_flag },
+	{ .offset = FPO(vnode_check_access),
+		.flag = &mac_vnode_check_access_fp_flag },
 };
 
 static void
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 6ae634bd2dfe..70a7aad44757 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -406,8 +406,20 @@ void	mac_vnode_assert_locked(struct vnode *vp, const char *func);
 
 int	mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
 void	mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
-int	mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_access_impl(struct ucred *cred, struct vnode *dvp,
 	    accmode_t accmode);
+extern bool mac_vnode_check_access_fp_flag;
+#define mac_vnode_check_access_enabled() __predict_false(mac_vnode_check_access_fp_flag)
+static inline int
+mac_vnode_check_access(struct ucred *cred, struct vnode *dvp,
+    accmode_t accmode)
+{
+
+	mac_vnode_assert_locked(dvp, "mac_vnode_check_access");
+	if (mac_vnode_check_access_enabled())
+                return (mac_vnode_check_access_impl(cred, dvp, accmode));
+	return (0);
+}
 int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);
 int	mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
 int	mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 7b8489d48103..ec492ba243e6 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -372,7 +372,7 @@ MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *",
     "struct vnode *", "accmode_t");
 
 int
-mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
+mac_vnode_check_access_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode)
 {
 	int error;