freebsd-skq/sys/security/mac
Robert Watson 5c95417dad When MAC is enabled and a policy module is loaded, don't unconditionally
lock mac_ifnet_mtx, which protects labels on struct ifnet, unless at least
one policy is actively using labels on ifnets.  This avoids a global mutex
acquire in certain fast paths -- most noticeably ifnet transmit.  This was
previously invisible by default, as no MAC policies were loaded by default,
but recently became visible due to mac_ntpd being enabled by default.

gallatin@ reports a reduction in PPS overhead from 300% to 2.2% with this
change.  We will want to explore further MAC Framework optimisation to
reduce overhead further, but this brings things more back into the world
of the sane.

MFC after:	3 days
2019-05-03 20:38:43 +00:00
..
mac_audit.c
mac_cred.c
mac_framework.c Require that MAC label buffers be able to store a non-empty string. 2018-08-01 03:46:07 +00:00
mac_framework.h
mac_inet6.c
mac_inet.c When MAC is enabled and a policy module is loaded, don't unconditionally 2019-05-03 20:38:43 +00:00
mac_internal.h When MAC is enabled and a policy module is loaded, don't unconditionally 2019-05-03 20:38:43 +00:00
mac_label.c
mac_net.c When MAC is enabled and a policy module is loaded, don't unconditionally 2019-05-03 20:38:43 +00:00
mac_pipe.c
mac_policy.h
mac_posix_sem.c
mac_posix_shm.c
mac_priv.c
mac_process.c
mac_socket.c
mac_syscalls.c
mac_system.c
mac_sysv_msg.c
mac_sysv_sem.c
mac_sysv_shm.c
mac_vfs.c