Switch to using the inpcb MAC label instead of socket MAC label when

labeling new mbufs created from sockets/inpcbs in IPv4.  This helps avoid
the need for socket layer locking in the lower level network paths
where inpcb locks are already frequently held where needed.  In
particular:

- Use the inpcb for label instead of socket in raw_append().
- Use the inpcb for label instead of socket in tcp_output().
- Use the inpcb for label instead of socket in tcp_respond().
- Use the inpcb for label instead of socket in tcp_twrespond().
- Use the inpcb for label instead of socket in syncache_respond().

While here, modify tcp_respond() to avoid assigning NULL to a stack
variable and centralize assertions about the inpcb when inp is
assigned.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
This commit is contained in:
rwatson 2004-05-04 02:11:47 +00:00
parent e15e5d4977
commit ff404935e2
6 changed files with 20 additions and 8 deletions

View File

@ -248,7 +248,9 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst)
int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST;
#ifdef MAC
mac_create_mbuf_from_socket(so, m);
INP_LOCK(inp);
mac_create_mbuf_from_inpcb(inp, m);
INP_UNLOCK(inp);
#endif
/*

View File

@ -692,7 +692,7 @@ send:
}
m->m_pkthdr.rcvif = (struct ifnet *)0;
#ifdef MAC
mac_create_mbuf_from_socket(so, m);
mac_create_mbuf_from_inpcb(tp->t_inpcb, m);
#endif
#ifdef INET6
if (isipv6) {

View File

@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
int isipv6;
#endif /* INET6 */
int ipflags = 0;
struct inpcb *inp = NULL;
struct inpcb *inp;
KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
INP_INFO_WLOCK_ASSERT(&tcbinfo);
INP_LOCK_ASSERT(inp);
} else
inp = NULL;
if (tp != NULL) {
if (!(flags & TH_RST)) {
win = sbspace(&inp->inp_socket->so_rcv);
if (win > (long)TCP_MAXWIN << tp->rcv_scale)
@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
* Packet is associated with a socket, so allow the
* label of the response to reflect the socket label.
*/
mac_create_mbuf_from_socket(inp->inp_socket, m);
INP_LOCK_ASSERT(inp);
mac_create_mbuf_from_inpcb(inp, m);
} else {
/*
* Packet is not associated with a socket, so possibly

View File

@ -1131,7 +1131,7 @@ syncache_respond(sc, m)
inp = sc->sc_tp->t_inpcb;
INP_LOCK(inp);
#ifdef MAC
mac_create_mbuf_from_socket(inp->inp_socket, m);
mac_create_mbuf_from_inpcb(inp, m);
#endif
#ifdef INET6

View File

@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
int isipv6;
#endif /* INET6 */
int ipflags = 0;
struct inpcb *inp = NULL;
struct inpcb *inp;
KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
INP_INFO_WLOCK_ASSERT(&tcbinfo);
INP_LOCK_ASSERT(inp);
} else
inp = NULL;
if (tp != NULL) {
if (!(flags & TH_RST)) {
win = sbspace(&inp->inp_socket->so_rcv);
if (win > (long)TCP_MAXWIN << tp->rcv_scale)
@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
* Packet is associated with a socket, so allow the
* label of the response to reflect the socket label.
*/
mac_create_mbuf_from_socket(inp->inp_socket, m);
INP_LOCK_ASSERT(inp);
mac_create_mbuf_from_inpcb(inp, m);
} else {
/*
* Packet is not associated with a socket, so possibly

View File

@ -728,7 +728,7 @@ udp_output(inp, m, addr, control, td)
INP_LOCK_ASSERT(inp);
#ifdef MAC
mac_create_mbuf_from_socket(inp->inp_socket, m);
mac_create_mbuf_from_inpcb(inp, m);
#endif
if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {