aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/netlabel.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:44:18 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:27 -0500
commit5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8 (patch)
treee1e028acaf0dd08cbcacd2c125f60230f820b442 /security/selinux/netlabel.c
parentd621d35e576aa20a0ddae8022c3810f38357c8ff (diff)
SELinux: Allow NetLabel to directly cache SIDs
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we can do a big optimization - caching the SID and not just the MLS attributes. This not only saves a lot of per-packet memory allocations and copies but it has a nice side effect of removing a chunk of code. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/netlabel.c')
-rw-r--r--security/selinux/netlabel.c55
1 files changed, 34 insertions, 21 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index b54d28fd3b5..0fa2be4149e 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -36,6 +36,33 @@
36#include "security.h" 36#include "security.h"
37 37
38/** 38/**
39 * selinux_netlbl_sidlookup_cached - Cache a SID lookup
40 * @skb: the packet
41 * @secattr: the NetLabel security attributes
42 * @sid: the SID
43 *
44 * Description:
45 * Query the SELinux security server to lookup the correct SID for the given
46 * security attributes. If the query is successful, cache the result to speed
47 * up future lookups. Returns zero on success, negative values on failure.
48 *
49 */
50static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
51 struct netlbl_lsm_secattr *secattr,
52 u32 *sid)
53{
54 int rc;
55
56 rc = security_netlbl_secattr_to_sid(secattr, sid);
57 if (rc == 0 &&
58 (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
59 (secattr->flags & NETLBL_SECATTR_CACHE))
60 netlbl_cache_add(skb, secattr);
61
62 return rc;
63}
64
65/**
39 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism 66 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
40 * @sk: the socket to label 67 * @sk: the socket to label
41 * @sid: the SID to use 68 * @sid: the SID to use
@@ -144,7 +171,6 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
144 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 171 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
145 * @skb: the packet 172 * @skb: the packet
146 * @family: protocol family 173 * @family: protocol family
147 * @base_sid: the SELinux SID to use as a context for MLS only attributes
148 * @type: NetLabel labeling protocol type 174 * @type: NetLabel labeling protocol type
149 * @sid: the SID 175 * @sid: the SID
150 * 176 *
@@ -156,7 +182,6 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
156 */ 182 */
157int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 183int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
158 u16 family, 184 u16 family,
159 u32 base_sid,
160 u32 *type, 185 u32 *type,
161 u32 *sid) 186 u32 *sid)
162{ 187{
@@ -170,13 +195,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
170 195
171 netlbl_secattr_init(&secattr); 196 netlbl_secattr_init(&secattr);
172 rc = netlbl_skbuff_getattr(skb, family, &secattr); 197 rc = netlbl_skbuff_getattr(skb, family, &secattr);
173 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { 198 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
174 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); 199 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
175 if (rc == 0 && 200 else
176 (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
177 (secattr.flags & NETLBL_SECATTR_CACHE))
178 netlbl_cache_add(skb, &secattr);
179 } else
180 *sid = SECSID_NULL; 201 *sid = SECSID_NULL;
181 *type = secattr.type; 202 *type = secattr.type;
182 netlbl_secattr_destroy(&secattr); 203 netlbl_secattr_destroy(&secattr);
@@ -210,9 +231,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
210 netlbl_secattr_init(&secattr); 231 netlbl_secattr_init(&secattr);
211 if (netlbl_sock_getattr(sk, &secattr) == 0 && 232 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
212 secattr.flags != NETLBL_SECATTR_NONE && 233 secattr.flags != NETLBL_SECATTR_NONE &&
213 security_netlbl_secattr_to_sid(&secattr, 234 security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0)
214 SECINITSID_NETMSG,
215 &nlbl_peer_sid) == 0)
216 sksec->peer_sid = nlbl_peer_sid; 235 sksec->peer_sid = nlbl_peer_sid;
217 netlbl_secattr_destroy(&secattr); 236 netlbl_secattr_destroy(&secattr);
218 237
@@ -316,15 +335,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
316 335
317 netlbl_secattr_init(&secattr); 336 netlbl_secattr_init(&secattr);
318 rc = netlbl_skbuff_getattr(skb, family, &secattr); 337 rc = netlbl_skbuff_getattr(skb, family, &secattr);
319 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { 338 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
320 rc = security_netlbl_secattr_to_sid(&secattr, 339 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
321 SECINITSID_NETMSG, 340 else
322 &nlbl_sid);
323 if (rc == 0 &&
324 (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
325 (secattr.flags & NETLBL_SECATTR_CACHE))
326 netlbl_cache_add(skb, &secattr);
327 } else
328 nlbl_sid = SECINITSID_UNLABELED; 341 nlbl_sid = SECINITSID_UNLABELED;
329 netlbl_secattr_destroy(&secattr); 342 netlbl_secattr_destroy(&secattr);
330 if (rc != 0) 343 if (rc != 0)