diff options
| author | Stephen J. Kiernan <stevek@FreeBSD.org> | 2019-05-17 18:13:43 +0000 |
|---|---|---|
| committer | Stephen J. Kiernan <stevek@FreeBSD.org> | 2019-05-17 18:13:43 +0000 |
| commit | 6cbc970317d395ce13073a81793b6218661f3080 (patch) | |
| tree | 7166415a8d0a55a3203cb995f0e7ea4ea8075e4e | |
| parent | ed377cf415612cd333322ac31a9c13b4c482e909 (diff) | |
| download | src-6cbc970317d395ce13073a81793b6218661f3080.tar.gz src-6cbc970317d395ce13073a81793b6218661f3080.zip | |
Obtain a shared lock instead of exclusive in the MAC/veriexec
MAC_VERIEXEC_CHECK_PATH_SYSCALL per-MAC policy system call.
When we are checking the status of the fingerprint on a vnode using the
per-MAC-policy syscall, we do not need an exclusive lock on the vnode.
Even if there is more than one thread requesting the status at the same time,
the worst we can end up doing is processing the file more than once.
This can potentially be improved in the future with offloading the fingerprint
evaluation to a separate thread and blocking until the update completes. But
for now the race is acceptable.
Obtained from: Juniper Networks, Inc.
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=347938
| -rw-r--r-- | sys/security/mac_veriexec/mac_veriexec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index eb749ef1550a..8bd610192caa 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -697,7 +697,8 @@ cleanup_file: break; case MAC_VERIEXEC_CHECK_PATH_SYSCALL: /* Look up the path to get the vnode */ - NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, + NDINIT(&nd, LOOKUP, + FOLLOW | LOCKLEAF | LOCKSHARED | AUDITVNODE1, UIO_USERSPACE, arg, td); error = namei(&nd); if (error != 0) |