Changeset View
Changeset View
Standalone View
Standalone View
head/sys/security/mac/mac_framework.c
| Show First 20 Lines • Show All 178 Lines • ▼ Show 20 Lines | |||||
| * cycle or that may be unloaded. The static policy list does not require | * cycle or that may be unloaded. The static policy list does not require | ||||
| * locks to iterate over, but the dynamic list requires synchronization. | * locks to iterate over, but the dynamic list requires synchronization. | ||||
| * Support for dynamic policy loading can be compiled out using the | * Support for dynamic policy loading can be compiled out using the | ||||
| * MAC_STATIC kernel option. | * MAC_STATIC kernel option. | ||||
| * | * | ||||
| * The dynamic policy list is protected by two locks: modifying the list | * The dynamic policy list is protected by two locks: modifying the list | ||||
| * requires both locks to be held exclusively. One of the locks, | * requires both locks to be held exclusively. One of the locks, | ||||
| * mac_policy_rm, is acquired over policy entry points that will never sleep; | * mac_policy_rm, is acquired over policy entry points that will never sleep; | ||||
| * the other, mac_policy_sx, is acquire over policy entry points that may | * the other, mac_policy_rms, is acquired over policy entry points that may | ||||
| * sleep. The former category will be used when kernel locks may be held | * sleep. The former category will be used when kernel locks may be held | ||||
| * over calls to the MAC Framework, during network processing in ithreads, | * over calls to the MAC Framework, during network processing in ithreads, | ||||
| * etc. The latter will tend to involve potentially blocking memory | * etc. The latter will tend to involve potentially blocking memory | ||||
| * allocations, extended attribute I/O, etc. | * allocations, extended attribute I/O, etc. | ||||
| */ | */ | ||||
| #ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
| static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ | static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */ | ||||
| static struct sx mac_policy_sx; /* Sleeping entry points. */ | static struct rmslock mac_policy_rms; /* Sleeping entry points. */ | ||||
| static struct rmslock mac_policy_rms; | |||||
| #endif | #endif | ||||
| struct mac_policy_list_head mac_policy_list; | struct mac_policy_list_head mac_policy_list; | ||||
| struct mac_policy_list_head mac_static_policy_list; | struct mac_policy_list_head mac_static_policy_list; | ||||
| u_int mac_policy_count; /* Registered policy count. */ | u_int mac_policy_count; /* Registered policy count. */ | ||||
| static void mac_policy_xlock(void); | static void mac_policy_xlock(void); | ||||
| static void mac_policy_xlock_assert(void); | static void mac_policy_xlock_assert(void); | ||||
| ▲ Show 20 Lines • Show All 56 Lines • ▼ Show 20 Lines | mac_policy_xlock(void) | ||||
| WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, | WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, | ||||
| "mac_policy_xlock()"); | "mac_policy_xlock()"); | ||||
| #ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
| if (!mac_late) | if (!mac_late) | ||||
| return; | return; | ||||
| sx_xlock(&mac_policy_sx); | |||||
| rms_wlock(&mac_policy_rms); | rms_wlock(&mac_policy_rms); | ||||
| rm_wlock(&mac_policy_rm); | rm_wlock(&mac_policy_rm); | ||||
| #endif | #endif | ||||
| } | } | ||||
| static void | static void | ||||
| mac_policy_xunlock(void) | mac_policy_xunlock(void) | ||||
| { | { | ||||
| #ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
| if (!mac_late) | if (!mac_late) | ||||
| return; | return; | ||||
| rm_wunlock(&mac_policy_rm); | rm_wunlock(&mac_policy_rm); | ||||
| rms_wunlock(&mac_policy_rms); | rms_wunlock(&mac_policy_rms); | ||||
| sx_xunlock(&mac_policy_sx); | |||||
| #endif | #endif | ||||
| } | } | ||||
| static void | static void | ||||
| mac_policy_xlock_assert(void) | mac_policy_xlock_assert(void) | ||||
| { | { | ||||
| #ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
| if (!mac_late) | if (!mac_late) | ||||
| return; | return; | ||||
| /* XXXRW: rm_assert(&mac_policy_rm, RA_WLOCKED); */ | rm_assert(&mac_policy_rm, RA_WLOCKED); | ||||
| sx_assert(&mac_policy_sx, SA_XLOCKED); | |||||
| #endif | #endif | ||||
| } | } | ||||
| /* | /* | ||||
| * Initialize the MAC subsystem, including appropriate SMP locks. | * Initialize the MAC subsystem, including appropriate SMP locks. | ||||
| */ | */ | ||||
| static void | static void | ||||
| mac_init(void) | mac_init(void) | ||||
| { | { | ||||
| LIST_INIT(&mac_static_policy_list); | LIST_INIT(&mac_static_policy_list); | ||||
| LIST_INIT(&mac_policy_list); | LIST_INIT(&mac_policy_list); | ||||
| mac_labelzone_init(); | mac_labelzone_init(); | ||||
| #ifndef MAC_STATIC | #ifndef MAC_STATIC | ||||
| rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | | rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | | ||||
| RM_RECURSE); | RM_RECURSE); | ||||
| sx_init_flags(&mac_policy_sx, "mac_policy_sx", SX_NOWITNESS); | |||||
| rms_init(&mac_policy_rms, "mac_policy_rms"); | rms_init(&mac_policy_rms, "mac_policy_rms"); | ||||
| #endif | #endif | ||||
| } | } | ||||
| /* | /* | ||||
| * For the purposes of modules that want to know if they were loaded "early", | * For the purposes of modules that want to know if they were loaded "early", | ||||
| * set the mac_late flag once we've processed modules either linked into the | * set the mac_late flag once we've processed modules either linked into the | ||||
| * kernel, or loaded before the kernel startup. | * kernel, or loaded before the kernel startup. | ||||
| ▲ Show 20 Lines • Show All 391 Lines • Show Last 20 Lines | |||||