aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-02-12 14:50:54 -0500
committerJames Morris <jmorris@namei.org>2009-02-13 17:23:08 -0500
commitf1c6381a6e337adcecf84be2a838bd9e610e2365 (patch)
treea6e0857db27a38b0976fb422836f9443241b4b61
parent21193dcd1f3570ddfd8a04f4465e484c1f94252f (diff)
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/avc.c15
-rw-r--r--security/selinux/include/security.h1
-rw-r--r--security/selinux/selinuxfs.c2
-rw-r--r--security/selinux/ss/services.c2
4 files changed, 6 insertions, 14 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 2a84dec4adfe..326aa78bd421 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
381 * @ssid: source security identifier 381 * @ssid: source security identifier
382 * @tsid: target security identifier 382 * @tsid: target security identifier
383 * @tclass: target security class 383 * @tclass: target security class
384 * @requested: requested permissions, interpreted based on @tclass
385 * 384 *
386 * Look up an AVC entry that is valid for the 385 * Look up an AVC entry that is valid for the
387 * @requested permissions between the SID pair
388 * (@ssid, @tsid), interpreting the permissions 386 * (@ssid, @tsid), interpreting the permissions
389 * based on @tclass. If a valid AVC entry exists, 387 * based on @tclass. If a valid AVC entry exists,
390 * then this function return the avc_node. 388 * then this function return the avc_node.
391 * Otherwise, this function returns NULL. 389 * Otherwise, this function returns NULL.
392 */ 390 */
393static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) 391static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
394{ 392{
395 struct avc_node *node; 393 struct avc_node *node;
396 394
397 avc_cache_stats_incr(lookups); 395 avc_cache_stats_incr(lookups);
398 node = avc_search_node(ssid, tsid, tclass); 396 node = avc_search_node(ssid, tsid, tclass);
399 397
400 if (node && ((node->ae.avd.decided & requested) == requested)) { 398 if (node)
401 avc_cache_stats_incr(hits); 399 avc_cache_stats_incr(hits);
402 goto out; 400 else
403 } 401 avc_cache_stats_incr(misses);
404 402
405 node = NULL;
406 avc_cache_stats_incr(misses);
407out:
408 return node; 403 return node;
409} 404}
410 405
@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
875 870
876 rcu_read_lock(); 871 rcu_read_lock();
877 872
878 node = avc_lookup(ssid, tsid, tclass, requested); 873 node = avc_lookup(ssid, tsid, tclass);
879 if (!node) { 874 if (!node) {
880 rcu_read_unlock(); 875 rcu_read_unlock();
881 876
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index e1d9db779983..5c3434f7626f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap);
88#define SEL_VEC_MAX 32 88#define SEL_VEC_MAX 32
89struct av_decision { 89struct av_decision {
90 u32 allowed; 90 u32 allowed;
91 u32 decided;
92 u32 auditallow; 91 u32 auditallow;
93 u32 auditdeny; 92 u32 auditdeny;
94 u32 seqno; 93 u32 seqno;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 01ec6d2c6b97..d3c8b982cfb0 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
595 595
596 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 596 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
597 "%x %x %x %x %u", 597 "%x %x %x %x %u",
598 avd.allowed, avd.decided, 598 avd.allowed, 0xffffffff,
599 avd.auditallow, avd.auditdeny, 599 avd.auditallow, avd.auditdeny,
600 avd.seqno); 600 avd.seqno);
601out2: 601out2:
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index c65e4fe4a0f1..deeec6c013ae 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext,
407 * Initialize the access vectors to the default values. 407 * Initialize the access vectors to the default values.
408 */ 408 */
409 avd->allowed = 0; 409 avd->allowed = 0;
410 avd->decided = 0xffffffff;
411 avd->auditallow = 0; 410 avd->auditallow = 0;
412 avd->auditdeny = 0xffffffff; 411 avd->auditdeny = 0xffffffff;
413 avd->seqno = latest_granting; 412 avd->seqno = latest_granting;
@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid,
743 742
744 if (!ss_initialized) { 743 if (!ss_initialized) {
745 avd->allowed = 0xffffffff; 744 avd->allowed = 0xffffffff;
746 avd->decided = 0xffffffff;
747 avd->auditallow = 0; 745 avd->auditallow = 0;
748 avd->auditdeny = 0xffffffff; 746 avd->auditdeny = 0xffffffff;
749 avd->seqno = latest_granting; 747 avd->seqno = latest_granting;