diff options
author | Eric Paris <eparis@redhat.com> | 2009-02-12 14:50:54 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-13 17:23:08 -0500 |
commit | f1c6381a6e337adcecf84be2a838bd9e610e2365 (patch) | |
tree | a6e0857db27a38b0976fb422836f9443241b4b61 | |
parent | 21193dcd1f3570ddfd8a04f4465e484c1f94252f (diff) |
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win. We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.
This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/avc.c | 15 | ||||
-rw-r--r-- | security/selinux/include/security.h | 1 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 2 |
4 files changed, 6 insertions, 14 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 2a84dec4adfe..326aa78bd421 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |||
381 | * @ssid: source security identifier | 381 | * @ssid: source security identifier |
382 | * @tsid: target security identifier | 382 | * @tsid: target security identifier |
383 | * @tclass: target security class | 383 | * @tclass: target security class |
384 | * @requested: requested permissions, interpreted based on @tclass | ||
385 | * | 384 | * |
386 | * Look up an AVC entry that is valid for the | 385 | * Look up an AVC entry that is valid for the |
387 | * @requested permissions between the SID pair | ||
388 | * (@ssid, @tsid), interpreting the permissions | 386 | * (@ssid, @tsid), interpreting the permissions |
389 | * based on @tclass. If a valid AVC entry exists, | 387 | * based on @tclass. If a valid AVC entry exists, |
390 | * then this function return the avc_node. | 388 | * then this function return the avc_node. |
391 | * Otherwise, this function returns NULL. | 389 | * Otherwise, this function returns NULL. |
392 | */ | 390 | */ |
393 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) | 391 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
394 | { | 392 | { |
395 | struct avc_node *node; | 393 | struct avc_node *node; |
396 | 394 | ||
397 | avc_cache_stats_incr(lookups); | 395 | avc_cache_stats_incr(lookups); |
398 | node = avc_search_node(ssid, tsid, tclass); | 396 | node = avc_search_node(ssid, tsid, tclass); |
399 | 397 | ||
400 | if (node && ((node->ae.avd.decided & requested) == requested)) { | 398 | if (node) |
401 | avc_cache_stats_incr(hits); | 399 | avc_cache_stats_incr(hits); |
402 | goto out; | 400 | else |
403 | } | 401 | avc_cache_stats_incr(misses); |
404 | 402 | ||
405 | node = NULL; | ||
406 | avc_cache_stats_incr(misses); | ||
407 | out: | ||
408 | return node; | 403 | return node; |
409 | } | 404 | } |
410 | 405 | ||
@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
875 | 870 | ||
876 | rcu_read_lock(); | 871 | rcu_read_lock(); |
877 | 872 | ||
878 | node = avc_lookup(ssid, tsid, tclass, requested); | 873 | node = avc_lookup(ssid, tsid, tclass); |
879 | if (!node) { | 874 | if (!node) { |
880 | rcu_read_unlock(); | 875 | rcu_read_unlock(); |
881 | 876 | ||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e1d9db779983..5c3434f7626f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); | |||
88 | #define SEL_VEC_MAX 32 | 88 | #define SEL_VEC_MAX 32 |
89 | struct av_decision { | 89 | struct av_decision { |
90 | u32 allowed; | 90 | u32 allowed; |
91 | u32 decided; | ||
92 | u32 auditallow; | 91 | u32 auditallow; |
93 | u32 auditdeny; | 92 | u32 auditdeny; |
94 | u32 seqno; | 93 | u32 seqno; |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 01ec6d2c6b97..d3c8b982cfb0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
595 | 595 | ||
596 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 596 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
597 | "%x %x %x %x %u", | 597 | "%x %x %x %x %u", |
598 | avd.allowed, avd.decided, | 598 | avd.allowed, 0xffffffff, |
599 | avd.auditallow, avd.auditdeny, | 599 | avd.auditallow, avd.auditdeny, |
600 | avd.seqno); | 600 | avd.seqno); |
601 | out2: | 601 | out2: |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c65e4fe4a0f1..deeec6c013ae 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext, | |||
407 | * Initialize the access vectors to the default values. | 407 | * Initialize the access vectors to the default values. |
408 | */ | 408 | */ |
409 | avd->allowed = 0; | 409 | avd->allowed = 0; |
410 | avd->decided = 0xffffffff; | ||
411 | avd->auditallow = 0; | 410 | avd->auditallow = 0; |
412 | avd->auditdeny = 0xffffffff; | 411 | avd->auditdeny = 0xffffffff; |
413 | avd->seqno = latest_granting; | 412 | avd->seqno = latest_granting; |
@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid, | |||
743 | 742 | ||
744 | if (!ss_initialized) { | 743 | if (!ss_initialized) { |
745 | avd->allowed = 0xffffffff; | 744 | avd->allowed = 0xffffffff; |
746 | avd->decided = 0xffffffff; | ||
747 | avd->auditallow = 0; | 745 | avd->auditallow = 0; |
748 | avd->auditdeny = 0xffffffff; | 746 | avd->auditdeny = 0xffffffff; |
749 | avd->seqno = latest_granting; | 747 | avd->seqno = latest_granting; |