diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2010-01-07 15:55:16 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-01-24 16:29:05 -0500 |
| commit | 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 (patch) | |
| tree | 9d99a883eb2ab097a3ff1ee4e1c9bf2fa851d832 /security/selinux/ss/mls.c | |
| parent | 2457552d1e6f3183cd93f81c49a8da5fe8bb0e42 (diff) | |
selinux: convert range transition list to a hashtab
Per https://bugzilla.redhat.com/show_bug.cgi?id=548145
there are sufficient range transition rules in modern (Fedora) policy to
make mls_compute_sid a significant factor on the shmem file setup path
due to the length of the range_tr list. Replace the simple range_tr
list with a hashtab inside the security server to help mitigate this
problem.
Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss/mls.c')
| -rw-r--r-- | security/selinux/ss/mls.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index e6654b543aed..443ae7370144 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
| @@ -513,7 +513,8 @@ int mls_compute_sid(struct context *scontext, | |||
| 513 | u32 specified, | 513 | u32 specified, |
| 514 | struct context *newcontext) | 514 | struct context *newcontext) |
| 515 | { | 515 | { |
| 516 | struct range_trans *rtr; | 516 | struct range_trans rtr; |
| 517 | struct mls_range *r; | ||
| 517 | 518 | ||
| 518 | if (!selinux_mls_enabled) | 519 | if (!selinux_mls_enabled) |
| 519 | return 0; | 520 | return 0; |
| @@ -521,15 +522,12 @@ int mls_compute_sid(struct context *scontext, | |||
| 521 | switch (specified) { | 522 | switch (specified) { |
| 522 | case AVTAB_TRANSITION: | 523 | case AVTAB_TRANSITION: |
| 523 | /* Look for a range transition rule. */ | 524 | /* Look for a range transition rule. */ |
| 524 | for (rtr = policydb.range_tr; rtr; rtr = rtr->next) { | 525 | rtr.source_type = scontext->type; |
| 525 | if (rtr->source_type == scontext->type && | 526 | rtr.target_type = tcontext->type; |
| 526 | rtr->target_type == tcontext->type && | 527 | rtr.target_class = tclass; |
| 527 | rtr->target_class == tclass) { | 528 | r = hashtab_search(policydb.range_tr, &rtr); |
| 528 | /* Set the range from the rule */ | 529 | if (r) |
| 529 | return mls_range_set(newcontext, | 530 | return mls_range_set(newcontext, r); |
| 530 | &rtr->target_range); | ||
| 531 | } | ||
| 532 | } | ||
| 533 | /* Fallthrough */ | 531 | /* Fallthrough */ |
| 534 | case AVTAB_CHANGE: | 532 | case AVTAB_CHANGE: |
| 535 | if (tclass == policydb.process_class) | 533 | if (tclass == policydb.process_class) |