Changeset View
Changeset View
Standalone View
Standalone View
head/sys/security/mac/mac_framework.c
Show First 20 Lines • Show All 178 Lines • ▼ Show 20 Lines | |||||
* cycle or that may be unloaded. The static policy list does not require | * cycle or that may be unloaded. The static policy list does not require | ||||
* locks to iterate over, but the dynamic list requires synchronization. | * locks to iterate over, but the dynamic list requires synchronization. | ||||
* Support for dynamic policy loading can be compiled out using the | * Support for dynamic policy loading can be compiled out using the | ||||
* MAC_STATIC kernel option. | * MAC_STATIC kernel option. | ||||
* | * | ||||
* The dynamic policy list is protected by two locks: modifying the list | * The dynamic policy list is protected by two locks: modifying the list | ||||
* requires both locks to be held exclusively. One of the locks, | * requires both locks to be held exclusively. One of the locks, | ||||
* mac_policy_rm, is acquired over policy entry points that will never sleep; | * mac_policy_rm, is acquired over policy entry points that will never sleep; | ||||
* the other, mac_policy_sx, is acquire over policy entry points that may | * the other, mac_policy_rms, is acquired over policy entry points that may | ||||
* sleep. The former category will be used when kernel locks may be held | * sleep. The former category will be used when kernel locks may be held | ||||
* over calls to the MAC Framework, during network processing in ithreads, | * over calls to the MAC Framework, during network processing in ithreads, | ||||
* etc. The latter will tend to involve potentially blocking memory | * etc. The latter will tend to involve potentially blocking memory | ||||
* allocations, extended attribute I/O, etc. | * allocations, extended attribute I/O, etc. | ||||
*/ | */ | ||||
#ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ | static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ | ||||
static struct sx mac_policy_sx; /* Sleeping entry points. */ | static struct rmslock mac_policy_rms; /* Sleeping entry points. */ | ||||
static struct rmslock mac_policy_rms; | |||||
#endif | #endif | ||||
struct mac_policy_list_head mac_policy_list; | struct mac_policy_list_head mac_policy_list; | ||||
struct mac_policy_list_head mac_static_policy_list; | struct mac_policy_list_head mac_static_policy_list; | ||||
u_int mac_policy_count; /* Registered policy count. */ | u_int mac_policy_count; /* Registered policy count. */ | ||||
static void mac_policy_xlock(void); | static void mac_policy_xlock(void); | ||||
static void mac_policy_xlock_assert(void); | static void mac_policy_xlock_assert(void); | ||||
▲ Show 20 Lines • Show All 56 Lines • ▼ Show 20 Lines | mac_policy_xlock(void) | ||||
WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, | WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, | ||||
"mac_policy_xlock()"); | "mac_policy_xlock()"); | ||||
#ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
if (!mac_late) | if (!mac_late) | ||||
return; | return; | ||||
sx_xlock(&mac_policy_sx); | |||||
rms_wlock(&mac_policy_rms); | rms_wlock(&mac_policy_rms); | ||||
rm_wlock(&mac_policy_rm); | rm_wlock(&mac_policy_rm); | ||||
#endif | #endif | ||||
} | } | ||||
static void | static void | ||||
mac_policy_xunlock(void) | mac_policy_xunlock(void) | ||||
{ | { | ||||
#ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
if (!mac_late) | if (!mac_late) | ||||
return; | return; | ||||
rm_wunlock(&mac_policy_rm); | rm_wunlock(&mac_policy_rm); | ||||
rms_wunlock(&mac_policy_rms); | rms_wunlock(&mac_policy_rms); | ||||
sx_xunlock(&mac_policy_sx); | |||||
#endif | #endif | ||||
} | } | ||||
static void | static void | ||||
mac_policy_xlock_assert(void) | mac_policy_xlock_assert(void) | ||||
{ | { | ||||
#ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
if (!mac_late) | if (!mac_late) | ||||
return; | return; | ||||
/* XXXRW: rm_assert(&mac_policy_rm, RA_WLOCKED); */ | rm_assert(&mac_policy_rm, RA_WLOCKED); | ||||
sx_assert(&mac_policy_sx, SA_XLOCKED); | |||||
#endif | #endif | ||||
} | } | ||||
/* | /* | ||||
* Initialize the MAC subsystem, including appropriate SMP locks. | * Initialize the MAC subsystem, including appropriate SMP locks. | ||||
*/ | */ | ||||
static void | static void | ||||
mac_init(void) | mac_init(void) | ||||
{ | { | ||||
LIST_INIT(&mac_static_policy_list); | LIST_INIT(&mac_static_policy_list); | ||||
LIST_INIT(&mac_policy_list); | LIST_INIT(&mac_policy_list); | ||||
mac_labelzone_init(); | mac_labelzone_init(); | ||||
#ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | | rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | | ||||
RM_RECURSE); | RM_RECURSE); | ||||
sx_init_flags(&mac_policy_sx, "mac_policy_sx", SX_NOWITNESS); | |||||
rms_init(&mac_policy_rms, "mac_policy_rms"); | rms_init(&mac_policy_rms, "mac_policy_rms"); | ||||
#endif | #endif | ||||
} | } | ||||
/* | /* | ||||
* For the purposes of modules that want to know if they were loaded "early", | * For the purposes of modules that want to know if they were loaded "early", | ||||
* set the mac_late flag once we've processed modules either linked into the | * set the mac_late flag once we've processed modules either linked into the | ||||
* kernel, or loaded before the kernel startup. | * kernel, or loaded before the kernel startup. | ||||
▲ Show 20 Lines • Show All 391 Lines • Show Last 20 Lines |