Document the MPC_LOADTIME_FLAG_LABELMBUFS load-time policy flag and

its possible interactions with the MPC_LOADTIME_FLAG_NOTLATE flag. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
svn path=/head/; revision=16616
2003-04-20 04:59:57 +00:00 · 2003-04-20 04:59:57 +00:00 · 93cbd61b9c · 2020-12-08 03:00:23 +00:00
commit 93cbd61b9c
parent 5656cc3abb
2 changed files with 66 additions and 4 deletions
--- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
@ -457,8 +457,9 @@
        processes.</para>
      
      <para>The policy flags field permits the module to provide the
-        framework with information about its loader-related
-        capabilities.  Currently, two flags are defined:</para>
+        framework with information about its capabilities at the
+	time the module is loaded.  Currently, three flags are
+	defined:</para>
      
      <variablelist>
        <varlistentry>
@ -486,8 +487,38 @@
              have not been properly initialized by the policy.</para>
          </listitem>
        </varlistentry>
+
+	<varlistentry>
+	  <term>MPC_LOADTIME_FLAG_LABELMBUFS</term>
+
+	  <listitem>
+	    <para>This flag indicates that the policy module requires
+	      labeling of Mbufs, and that memory should always be
+	      allocated for the storage of Mbuf labels.  By default,
+	      the MAC Framework will not allocate label storage for
+	      Mbufs unless at least one loaded policy has this flag
+	      set.  This measurably improves network performance when
+	      policies do not require Mbuf labeling.  A kernel option,
+	      <literal>MAC_ALWAYS_LABEL_MBUF</literal>, exists to
+	      force the MAC Framework to allocate Mbuf label storage
+	      regardless of the setting of this flag, and may be
+	      useful in some environments.</para>
+	  </listitem>
+	</varlistentry>
+
      </variablelist>
      
+      <note><para>Policies using the
+	<literal>MPC_LOADTIME_FLAG_LABELMBUFS</literal> without the
+	<literal>MPC_LOADTIME_FLAG_NOTLATE</literal> flag set
+	must be able to correctly handle <literal>NULL</literal>
+	Mbuf label pointers passed into entry points.  This is necessary
+	as in-flight Mbufs without label storage may persist after a
+	policy enabling Mbuf labeling has been loaded.  If a policy
+	is loaded before the network subsystem is active (i.e., the
+	policy is not being loaded late), then all Mbufs are guaranteed
+	to have label storage.</para></note>
+
      <sect3 id="mac-mpo-init">
        <title><function>&mac.mpo;_init</function</title>
        
--- a/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml
@ -457,8 +457,9 @@
        processes.</para>
      
      <para>The policy flags field permits the module to provide the
-        framework with information about its loader-related
-        capabilities.  Currently, two flags are defined:</para>
+        framework with information about its capabilities at the
+	time the module is loaded.  Currently, three flags are
+	defined:</para>
      
      <variablelist>
        <varlistentry>
@ -486,8 +487,38 @@
              have not been properly initialized by the policy.</para>
          </listitem>
        </varlistentry>
+
+	<varlistentry>
+	  <term>MPC_LOADTIME_FLAG_LABELMBUFS</term>
+
+	  <listitem>
+	    <para>This flag indicates that the policy module requires
+	      labeling of Mbufs, and that memory should always be
+	      allocated for the storage of Mbuf labels.  By default,
+	      the MAC Framework will not allocate label storage for
+	      Mbufs unless at least one loaded policy has this flag
+	      set.  This measurably improves network performance when
+	      policies do not require Mbuf labeling.  A kernel option,
+	      <literal>MAC_ALWAYS_LABEL_MBUF</literal>, exists to
+	      force the MAC Framework to allocate Mbuf label storage
+	      regardless of the setting of this flag, and may be
+	      useful in some environments.</para>
+	  </listitem>
+	</varlistentry>
+
      </variablelist>
      
+      <note><para>Policies using the
+	<literal>MPC_LOADTIME_FLAG_LABELMBUFS</literal> without the
+	<literal>MPC_LOADTIME_FLAG_NOTLATE</literal> flag set
+	must be able to correctly handle <literal>NULL</literal>
+	Mbuf label pointers passed into entry points.  This is necessary
+	as in-flight Mbufs without label storage may persist after a
+	policy enabling Mbuf labeling has been loaded.  If a policy
+	is loaded before the network subsystem is active (i.e., the
+	policy is not being loaded late), then all Mbufs are guaranteed
+	to have label storage.</para></note>
+
      <sect3 id="mac-mpo-init">
        <title><function>&mac.mpo;_init</function</title>