kern: mac: add a MAC label to struct prison

Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D53953

MAC: Use proper prototype for SYSINIT functions

MFC after: 1 week

MAC: Define a common 'mac' node for MAC's jail parameters

To be used by MAC/do.

Reviewed by: jamie
Approved by: markj (mentor)
MFC after: 5 days
Relnotes: yes
Sponsored by: The F

MAC: Define a common 'mac' node for MAC's jail parameters

To be used by MAC/do.

Reviewed by: jamie
Approved by: markj (mentor)
MFC after: 5 days
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46899

show more ...

MAC: 'kernel_mac_support' module: Make an outdated comment more generic

No functional change.

Reviewed by: jamie
Approved by: markj (mentor)
MFC after: 5 days
Sponsored by: The FreeBSD

MAC: 'kernel_mac_support' module: Make an outdated comment more generic

No functional change.

Reviewed by: jamie
Approved by: markj (mentor)
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46898

show more ...

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove gratuitous copyouts of unchanged struct mac.

The get operations change the data pointed to by the structure, but do
not update the contents of the struct.

Mark the struct mac arguments of ma

Remove gratuitous copyouts of unchanged struct mac.

The get operations change the data pointed to by the structure, but do
not update the contents of the struct.

Mark the struct mac arguments of mac_[gs]etsockopt_*label() and
mac_check_structmac_consistent() const to prevent this from changing
in the future.

Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D14488

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

mac: Honor order when registering MAC modules.

Ensure MAC modules are inserted in order that they are registered.

Reviewed by: markj
Obtained from: Juniper Networks, Inc.
Differential Revision: htt

mac: Honor order when registering MAC modules.

Ensure MAC modules are inserted in order that they are registered.

Reviewed by: markj
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D39589

show more ...

mac: cheaper check for mac_pipe_check_read

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D36082

mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmit

Sponsored by: Rubicon Communications, LLC ("Netgate")

mac: cheaper check for mac_vnode_check_readlink

cache: combine fast path enabled status into one flag

Tested by: pho

pipe: allow for lockless pipe_stat

pipes get stated all thet time and this avoidably contributed to contention.
The pipe lock is only held to accomodate MAC and to check the type.

Since normally th

pipe: allow for lockless pipe_stat

pipes get stated all thet time and this avoidably contributed to contention.
The pipe lock is only held to accomodate MAC and to check the type.

Since normally there is no probe for pipe stat depessimize this by having the
flag.

The pipe_state field gets modified with locks held all the time and it's not
feasible to convert them to use atomic store. Move the type flag away to a
separate variable as a simple cleanup and to provide stable field to read.
Use short for both fields to avoid growing the struct.

While here short-circuit MAC for pipe_poll as well.

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

Merge ^/head r363739 through r363986.

vfs: add a cheaper entry for mac_vnode_check_access

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

Merge ^/head r363583 through r363738.

vfs: elide MAC-induced locking on rename if there are no relevant hoooks

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

vfs: fix vn_poll performance with either MAC or AUDIT

The code would unconditionally lock the vnode to audit or call the
mac hoook, even if neither want to do anything. Pre-check the state
to avoid

vfs: fix vn_poll performance with either MAC or AUDIT

The code would unconditionally lock the vnode to audit or call the
mac hoook, even if neither want to do anything. Pre-check the state
to avoid locking in the common case of nothing to do.

Note this code should not be normally executed anyway as vnodes are
always return ready. However, poll1/2 from will-it-scale use regular
files for benchmarking, presumably to focus on the interface itself
as the vnode handler is not supposed to do almost anything.

This in particular fixes poll2 which passes 128 fds.

$ ./poll2_processes -s 10
before: 134411
after: 271572

show more ...

mac_policy: Remove mac_policy_sx

This lock was made unnecessary by the addition of mac_policy_rms in r356120.

Reviewed by: mjg, kib
Differential Revision: https://reviews.freebsd.org/D24283

Merge ^/head r358269 through r358399.

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly mark

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE. All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by: kib (mentor, blanket)
Commented by: kib, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D23718

show more ...

Merge ^/head r357855 through r357920.