Created attachment 155932 [details]
Patch adding hooks to the MAC framework and vnode operations

Add hooks in the MAC subsystem following vnode lookup and create operations that allow MAC policies to update state in response to file system accesses and modifications.

These hooks are used in the Shill research project (http://shill.seas.harvard.edu) to implement a capability-based sandbox, but could be used by any MAC policy that requires fine-grained tracking of filesystem access patterns.

To evaluate the performance impact of this patch, I have run two benchmarks that test the overhead on lookup and create operations. The first benchmark "open-read-close" measures the time required to open the file "/tmp/file" (two lookup operations), read 1 byte, and close the file. The second benchmark "create-unlink" measures the time required to create a the file "/tmp/file" and then unlink it. I ran each benchmark in a tight loop lasting for 10 seconds and took 50 measurements. The measurements were taken on a ThinkPad x201 in single user mode, pinned to a single core. The performance impact appears to be negligible, within a few microseconds. A summary of the benchmarks is below (time in microseconds).

                  Unpatched       Patched
Benchmark          Mean     SD     Mean     SD
open-read-close   11.11   0.02    11.18   0.03
create-unlink     41.50   0.09    40.57   0.17