diff options
| author | Vishal Goel <vishal.goel@samsung.com> | 2019-03-07 06:25:24 -0500 |
|---|---|---|
| committer | Casey Schaufler <cschaufler@localhost.localdomain> | 2019-04-02 14:45:22 -0400 |
| commit | 460d95a1d69d5c0352379a3651c9cb6ec09e4ddb (patch) | |
| tree | b3208c50a93062822aa1ad7e4509d6d4427d066c /security | |
| parent | 9d7b7bfbafba5e6cad609f1188243a7f0cd0d293 (diff) | |
smack: removal of global rule list
In this patch, global rule list has been removed. Now all
smack rules will be read using "smack_known_list". This list contains
all the smack labels and internally each smack label structure
maintains the list of smack rules corresponding to that smack label.
So there is no need to maintain extra list.
1) Small Memory Optimization
For eg. if there are 20000 rules, then it will save 625KB(20000*32),
which is critical for small embedded systems.
2) Reducing the time taken in writing rules on load/load2 interface
3) Since global rule list is just used to read the rules, so there
will be no performance impact on system
Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
Signed-off-by: Amit Sahrawat <a.sahrawat@samsung.com>
Signed-off-by: Casey Schaufler <cschaufler@localhost.localdomain>
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smackfs.c | 53 |
1 files changed, 15 insertions, 38 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index faf2ea3968b3..8406738b45f2 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -67,7 +67,6 @@ enum smk_inos { | |||
| 67 | /* | 67 | /* |
| 68 | * List locks | 68 | * List locks |
| 69 | */ | 69 | */ |
| 70 | static DEFINE_MUTEX(smack_master_list_lock); | ||
| 71 | static DEFINE_MUTEX(smack_cipso_lock); | 70 | static DEFINE_MUTEX(smack_cipso_lock); |
| 72 | static DEFINE_MUTEX(smack_ambient_lock); | 71 | static DEFINE_MUTEX(smack_ambient_lock); |
| 73 | static DEFINE_MUTEX(smk_net4addr_lock); | 72 | static DEFINE_MUTEX(smk_net4addr_lock); |
| @@ -134,15 +133,7 @@ LIST_HEAD(smk_net6addr_list); | |||
| 134 | 133 | ||
| 135 | /* | 134 | /* |
| 136 | * Rule lists are maintained for each label. | 135 | * Rule lists are maintained for each label. |
| 137 | * This master list is just for reading /smack/load and /smack/load2. | ||
| 138 | */ | 136 | */ |
| 139 | struct smack_master_list { | ||
| 140 | struct list_head list; | ||
| 141 | struct smack_rule *smk_rule; | ||
| 142 | }; | ||
| 143 | |||
| 144 | static LIST_HEAD(smack_rule_list); | ||
| 145 | |||
| 146 | struct smack_parsed_rule { | 137 | struct smack_parsed_rule { |
| 147 | struct smack_known *smk_subject; | 138 | struct smack_known *smk_subject; |
| 148 | struct smack_known *smk_object; | 139 | struct smack_known *smk_object; |
| @@ -211,7 +202,6 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) | |||
| 211 | * @srp: the rule to add or replace | 202 | * @srp: the rule to add or replace |
| 212 | * @rule_list: the list of rules | 203 | * @rule_list: the list of rules |
| 213 | * @rule_lock: the rule list lock | 204 | * @rule_lock: the rule list lock |
| 214 | * @global: if non-zero, indicates a global rule | ||
| 215 | * | 205 | * |
| 216 | * Looks through the current subject/object/access list for | 206 | * Looks through the current subject/object/access list for |
| 217 | * the subject/object pair and replaces the access that was | 207 | * the subject/object pair and replaces the access that was |
| @@ -223,10 +213,9 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) | |||
| 223 | */ | 213 | */ |
| 224 | static int smk_set_access(struct smack_parsed_rule *srp, | 214 | static int smk_set_access(struct smack_parsed_rule *srp, |
| 225 | struct list_head *rule_list, | 215 | struct list_head *rule_list, |
| 226 | struct mutex *rule_lock, int global) | 216 | struct mutex *rule_lock) |
| 227 | { | 217 | { |
| 228 | struct smack_rule *sp; | 218 | struct smack_rule *sp; |
| 229 | struct smack_master_list *smlp; | ||
| 230 | int found = 0; | 219 | int found = 0; |
| 231 | int rc = 0; | 220 | int rc = 0; |
| 232 | 221 | ||
| @@ -258,22 +247,6 @@ static int smk_set_access(struct smack_parsed_rule *srp, | |||
| 258 | sp->smk_access = srp->smk_access1 & ~srp->smk_access2; | 247 | sp->smk_access = srp->smk_access1 & ~srp->smk_access2; |
| 259 | 248 | ||
| 260 | list_add_rcu(&sp->list, rule_list); | 249 | list_add_rcu(&sp->list, rule_list); |
| 261 | /* | ||
| 262 | * If this is a global as opposed to self and a new rule | ||
| 263 | * it needs to get added for reporting. | ||
| 264 | */ | ||
| 265 | if (global) { | ||
| 266 | mutex_unlock(rule_lock); | ||
| 267 | smlp = kzalloc(sizeof(*smlp), GFP_KERNEL); | ||
| 268 | if (smlp != NULL) { | ||
| 269 | smlp->smk_rule = sp; | ||
| 270 | mutex_lock(&smack_master_list_lock); | ||
| 271 | list_add_rcu(&smlp->list, &smack_rule_list); | ||
| 272 | mutex_unlock(&smack_master_list_lock); | ||
| 273 | } else | ||
| 274 | rc = -ENOMEM; | ||
| 275 | return rc; | ||
| 276 | } | ||
| 277 | } | 250 | } |
| 278 | 251 | ||
| 279 | out: | 252 | out: |
| @@ -540,9 +513,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf, | |||
| 540 | 513 | ||
| 541 | if (rule_list == NULL) | 514 | if (rule_list == NULL) |
| 542 | rc = smk_set_access(&rule, &rule.smk_subject->smk_rules, | 515 | rc = smk_set_access(&rule, &rule.smk_subject->smk_rules, |
| 543 | &rule.smk_subject->smk_rules_lock, 1); | 516 | &rule.smk_subject->smk_rules_lock); |
| 544 | else | 517 | else |
| 545 | rc = smk_set_access(&rule, rule_list, rule_lock, 0); | 518 | rc = smk_set_access(&rule, rule_list, rule_lock); |
| 546 | 519 | ||
| 547 | if (rc) | 520 | if (rc) |
| 548 | goto out; | 521 | goto out; |
| @@ -636,21 +609,23 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max) | |||
| 636 | 609 | ||
| 637 | static void *load2_seq_start(struct seq_file *s, loff_t *pos) | 610 | static void *load2_seq_start(struct seq_file *s, loff_t *pos) |
| 638 | { | 611 | { |
| 639 | return smk_seq_start(s, pos, &smack_rule_list); | 612 | return smk_seq_start(s, pos, &smack_known_list); |
| 640 | } | 613 | } |
| 641 | 614 | ||
| 642 | static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos) | 615 | static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 643 | { | 616 | { |
| 644 | return smk_seq_next(s, v, pos, &smack_rule_list); | 617 | return smk_seq_next(s, v, pos, &smack_known_list); |
| 645 | } | 618 | } |
| 646 | 619 | ||
| 647 | static int load_seq_show(struct seq_file *s, void *v) | 620 | static int load_seq_show(struct seq_file *s, void *v) |
| 648 | { | 621 | { |
| 649 | struct list_head *list = v; | 622 | struct list_head *list = v; |
| 650 | struct smack_master_list *smlp = | 623 | struct smack_rule *srp; |
| 651 | list_entry_rcu(list, struct smack_master_list, list); | 624 | struct smack_known *skp = |
| 625 | list_entry_rcu(list, struct smack_known, list); | ||
| 652 | 626 | ||
| 653 | smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN); | 627 | list_for_each_entry_rcu(srp, &skp->smk_rules, list) |
| 628 | smk_rule_show(s, srp, SMK_LABELLEN); | ||
| 654 | 629 | ||
| 655 | return 0; | 630 | return 0; |
| 656 | } | 631 | } |
| @@ -2352,10 +2327,12 @@ static const struct file_operations smk_access_ops = { | |||
| 2352 | static int load2_seq_show(struct seq_file *s, void *v) | 2327 | static int load2_seq_show(struct seq_file *s, void *v) |
| 2353 | { | 2328 | { |
| 2354 | struct list_head *list = v; | 2329 | struct list_head *list = v; |
| 2355 | struct smack_master_list *smlp = | 2330 | struct smack_rule *srp; |
| 2356 | list_entry_rcu(list, struct smack_master_list, list); | 2331 | struct smack_known *skp = |
| 2332 | list_entry_rcu(list, struct smack_known, list); | ||
| 2357 | 2333 | ||
| 2358 | smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL); | 2334 | list_for_each_entry_rcu(srp, &skp->smk_rules, list) |
| 2335 | smk_rule_show(s, srp, SMK_LONGLABEL); | ||
| 2359 | 2336 | ||
| 2360 | return 0; | 2337 | return 0; |
| 2361 | } | 2338 | } |