From f0c2044bd9da449a21d446058a05b5ba33b4ef42 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sat, 16 Apr 2005 18:33:13 +0000 Subject: [PATCH] In mac_get_fd(), remove unconditional acquisition of Giant around copying of the socket label to thread-local storage, and replace it with conditional acquisition based on debug.mpsafenet. Acquire the socket lock around the copy operation. In mac_set_fd(), replace the unconditional acquisition of Giant with the conditional acquisition of Giant based on debug.mpsafenet. The socket lock is acquired in mac_socket_label_set() so doesn't have to be acquired here. Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA --- sys/kern/kern_mac.c | 16 +++++++--------- sys/security/mac/mac_framework.c | 16 +++++++--------- sys/security/mac/mac_syscalls.c | 16 +++++++--------- 3 files changed, 21 insertions(+), 27 deletions(-) diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index f44a380a1b7a..085410990351 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -802,11 +802,11 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_SOCKET: so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); + SOCK_LOCK(so); mac_copy_socket_label(so->so_label, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + SOCK_UNLOCK(so); + NET_UNLOCK_GIANT(); error = mac_externalize_socket_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); @@ -1012,12 +1012,10 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) error = mac_internalize_socket_label(intlabel, buffer); if (error == 0) { so = fp->f_data; - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); error = mac_socket_label_set(td->td_ucred, so, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + NET_UNLOCK_GIANT(); } mac_socket_label_free(intlabel); break; diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f44a380a1b7a..085410990351 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -802,11 +802,11 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_SOCKET: so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); + SOCK_LOCK(so); mac_copy_socket_label(so->so_label, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + SOCK_UNLOCK(so); + NET_UNLOCK_GIANT(); error = mac_externalize_socket_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); @@ -1012,12 +1012,10 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) error = mac_internalize_socket_label(intlabel, buffer); if (error == 0) { so = fp->f_data; - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); error = mac_socket_label_set(td->td_ucred, so, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + NET_UNLOCK_GIANT(); } mac_socket_label_free(intlabel); break; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index f44a380a1b7a..085410990351 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -802,11 +802,11 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_SOCKET: so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); + SOCK_LOCK(so); mac_copy_socket_label(so->so_label, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + SOCK_UNLOCK(so); + NET_UNLOCK_GIANT(); error = mac_externalize_socket_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); @@ -1012,12 +1012,10 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) error = mac_internalize_socket_label(intlabel, buffer); if (error == 0) { so = fp->f_data; - mtx_lock(&Giant); /* Sockets */ - /* XXX: Socket lock here. */ + NET_LOCK_GIANT(); error = mac_socket_label_set(td->td_ucred, so, intlabel); - /* XXX: Socket unlock here. */ - mtx_unlock(&Giant); /* Sockets */ + NET_UNLOCK_GIANT(); } mac_socket_label_free(intlabel); break;