diff options
author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:44:18 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:27 -0500 |
commit | 5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8 (patch) | |
tree | e1e028acaf0dd08cbcacd2c125f60230f820b442 /security/selinux/netlabel.c | |
parent | d621d35e576aa20a0ddae8022c3810f38357c8ff (diff) |
SELinux: Allow NetLabel to directly cache SIDs
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/netlabel.c')
-rw-r--r-- | security/selinux/netlabel.c | 55 |
1 files changed, 34 insertions, 21 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index b54d28fd3b5..0fa2be4149e 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
@@ -36,6 +36,33 @@ | |||
36 | #include "security.h" | 36 | #include "security.h" |
37 | 37 | ||
38 | /** | 38 | /** |
39 | * selinux_netlbl_sidlookup_cached - Cache a SID lookup | ||
40 | * @skb: the packet | ||
41 | * @secattr: the NetLabel security attributes | ||
42 | * @sid: the SID | ||
43 | * | ||
44 | * Description: | ||
45 | * Query the SELinux security server to lookup the correct SID for the given | ||
46 | * security attributes. If the query is successful, cache the result to speed | ||
47 | * up future lookups. Returns zero on success, negative values on failure. | ||
48 | * | ||
49 | */ | ||
50 | static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, | ||
51 | struct netlbl_lsm_secattr *secattr, | ||
52 | u32 *sid) | ||
53 | { | ||
54 | int rc; | ||
55 | |||
56 | rc = security_netlbl_secattr_to_sid(secattr, sid); | ||
57 | if (rc == 0 && | ||
58 | (secattr->flags & NETLBL_SECATTR_CACHEABLE) && | ||
59 | (secattr->flags & NETLBL_SECATTR_CACHE)) | ||
60 | netlbl_cache_add(skb, secattr); | ||
61 | |||
62 | return rc; | ||
63 | } | ||
64 | |||
65 | /** | ||
39 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism | 66 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
40 | * @sk: the socket to label | 67 | * @sk: the socket to label |
41 | * @sid: the SID to use | 68 | * @sid: the SID to use |
@@ -144,7 +171,6 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | |||
144 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel | 171 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel |
145 | * @skb: the packet | 172 | * @skb: the packet |
146 | * @family: protocol family | 173 | * @family: protocol family |
147 | * @base_sid: the SELinux SID to use as a context for MLS only attributes | ||
148 | * @type: NetLabel labeling protocol type | 174 | * @type: NetLabel labeling protocol type |
149 | * @sid: the SID | 175 | * @sid: the SID |
150 | * | 176 | * |
@@ -156,7 +182,6 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | |||
156 | */ | 182 | */ |
157 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 183 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
158 | u16 family, | 184 | u16 family, |
159 | u32 base_sid, | ||
160 | u32 *type, | 185 | u32 *type, |
161 | u32 *sid) | 186 | u32 *sid) |
162 | { | 187 | { |
@@ -170,13 +195,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
170 | 195 | ||
171 | netlbl_secattr_init(&secattr); | 196 | netlbl_secattr_init(&secattr); |
172 | rc = netlbl_skbuff_getattr(skb, family, &secattr); | 197 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
173 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { | 198 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
174 | rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); | 199 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); |
175 | if (rc == 0 && | 200 | else |
176 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | ||
177 | (secattr.flags & NETLBL_SECATTR_CACHE)) | ||
178 | netlbl_cache_add(skb, &secattr); | ||
179 | } else | ||
180 | *sid = SECSID_NULL; | 201 | *sid = SECSID_NULL; |
181 | *type = secattr.type; | 202 | *type = secattr.type; |
182 | netlbl_secattr_destroy(&secattr); | 203 | netlbl_secattr_destroy(&secattr); |
@@ -210,9 +231,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
210 | netlbl_secattr_init(&secattr); | 231 | netlbl_secattr_init(&secattr); |
211 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | 232 | if (netlbl_sock_getattr(sk, &secattr) == 0 && |
212 | secattr.flags != NETLBL_SECATTR_NONE && | 233 | secattr.flags != NETLBL_SECATTR_NONE && |
213 | security_netlbl_secattr_to_sid(&secattr, | 234 | security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0) |
214 | SECINITSID_NETMSG, | ||
215 | &nlbl_peer_sid) == 0) | ||
216 | sksec->peer_sid = nlbl_peer_sid; | 235 | sksec->peer_sid = nlbl_peer_sid; |
217 | netlbl_secattr_destroy(&secattr); | 236 | netlbl_secattr_destroy(&secattr); |
218 | 237 | ||
@@ -316,15 +335,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |||
316 | 335 | ||
317 | netlbl_secattr_init(&secattr); | 336 | netlbl_secattr_init(&secattr); |
318 | rc = netlbl_skbuff_getattr(skb, family, &secattr); | 337 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
319 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { | 338 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
320 | rc = security_netlbl_secattr_to_sid(&secattr, | 339 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); |
321 | SECINITSID_NETMSG, | 340 | else |
322 | &nlbl_sid); | ||
323 | if (rc == 0 && | ||
324 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | ||
325 | (secattr.flags & NETLBL_SECATTR_CACHE)) | ||
326 | netlbl_cache_add(skb, &secattr); | ||
327 | } else | ||
328 | nlbl_sid = SECINITSID_UNLABELED; | 341 | nlbl_sid = SECINITSID_UNLABELED; |
329 | netlbl_secattr_destroy(&secattr); | 342 | netlbl_secattr_destroy(&secattr); |
330 | if (rc != 0) | 343 | if (rc != 0) |