aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorYuichi Nakamura <ynakam@hitachisoft.jp>2007-09-13 20:27:07 -0400
committerJames Morris <jmorris@namei.org>2007-10-16 18:59:31 -0400
commit788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch)
treecbe2d2a360aaf7dc243bef432e1c50507ae6db7b /include/linux
parent3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff)
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating permissions in selinux_file_permission if the task or inode labels have changed or the policy has changed since the open-time check. A new LSM hook, security_dentry_open, is added to capture the necessary state at open time to allow this optimization. (see http://marc.info/?l=selinux&m=118972995207740&w=2) Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/security.h18
1 files changed, 18 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 1a15526e9f67..928d4793c6f4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -504,6 +504,13 @@ struct request_sock;
504 * @file contains the file structure being received. 504 * @file contains the file structure being received.
505 * Return 0 if permission is granted. 505 * Return 0 if permission is granted.
506 * 506 *
507 * Security hook for dentry
508 *
509 * @dentry_open
510 * Save open-time permission checking state for later use upon
511 * file_permission, and recheck access if anything has changed
512 * since inode_permission.
513 *
507 * Security hooks for task operations. 514 * Security hooks for task operations.
508 * 515 *
509 * @task_create: 516 * @task_create:
@@ -1256,6 +1263,7 @@ struct security_operations {
1256 int (*file_send_sigiotask) (struct task_struct * tsk, 1263 int (*file_send_sigiotask) (struct task_struct * tsk,
1257 struct fown_struct * fown, int sig); 1264 struct fown_struct * fown, int sig);
1258 int (*file_receive) (struct file * file); 1265 int (*file_receive) (struct file * file);
1266 int (*dentry_open) (struct file *file);
1259 1267
1260 int (*task_create) (unsigned long clone_flags); 1268 int (*task_create) (unsigned long clone_flags);
1261 int (*task_alloc_security) (struct task_struct * p); 1269 int (*task_alloc_security) (struct task_struct * p);
@@ -1864,6 +1872,11 @@ static inline int security_file_receive (struct file *file)
1864 return security_ops->file_receive (file); 1872 return security_ops->file_receive (file);
1865} 1873}
1866 1874
1875static inline int security_dentry_open (struct file *file)
1876{
1877 return security_ops->dentry_open (file);
1878}
1879
1867static inline int security_task_create (unsigned long clone_flags) 1880static inline int security_task_create (unsigned long clone_flags)
1868{ 1881{
1869 return security_ops->task_create (clone_flags); 1882 return security_ops->task_create (clone_flags);
@@ -2546,6 +2559,11 @@ static inline int security_file_receive (struct file *file)
2546 return 0; 2559 return 0;
2547} 2560}
2548 2561
2562static inline int security_dentry_open (struct file *file)
2563{
2564 return 0;
2565}
2566
2549static inline int security_task_create (unsigned long clone_flags) 2567static inline int security_task_create (unsigned long clone_flags)
2550{ 2568{
2551 return 0; 2569 return 0;