diff options
author | Yuichi Nakamura <ynakam@hitachisoft.jp> | 2007-09-13 20:27:07 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-10-16 18:59:31 -0400 |
commit | 788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch) | |
tree | cbe2d2a360aaf7dc243bef432e1c50507ae6db7b /include | |
parent | 3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff) |
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check. A new LSM
hook, security_dentry_open, is added to capture the necessary state at open
time to allow this optimization.
(see http://marc.info/?l=selinux&m=118972995207740&w=2)
Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 1a15526e9f67..928d4793c6f4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -504,6 +504,13 @@ struct request_sock; | |||
504 | * @file contains the file structure being received. | 504 | * @file contains the file structure being received. |
505 | * Return 0 if permission is granted. | 505 | * Return 0 if permission is granted. |
506 | * | 506 | * |
507 | * Security hook for dentry | ||
508 | * | ||
509 | * @dentry_open | ||
510 | * Save open-time permission checking state for later use upon | ||
511 | * file_permission, and recheck access if anything has changed | ||
512 | * since inode_permission. | ||
513 | * | ||
507 | * Security hooks for task operations. | 514 | * Security hooks for task operations. |
508 | * | 515 | * |
509 | * @task_create: | 516 | * @task_create: |
@@ -1256,6 +1263,7 @@ struct security_operations { | |||
1256 | int (*file_send_sigiotask) (struct task_struct * tsk, | 1263 | int (*file_send_sigiotask) (struct task_struct * tsk, |
1257 | struct fown_struct * fown, int sig); | 1264 | struct fown_struct * fown, int sig); |
1258 | int (*file_receive) (struct file * file); | 1265 | int (*file_receive) (struct file * file); |
1266 | int (*dentry_open) (struct file *file); | ||
1259 | 1267 | ||
1260 | int (*task_create) (unsigned long clone_flags); | 1268 | int (*task_create) (unsigned long clone_flags); |
1261 | int (*task_alloc_security) (struct task_struct * p); | 1269 | int (*task_alloc_security) (struct task_struct * p); |
@@ -1864,6 +1872,11 @@ static inline int security_file_receive (struct file *file) | |||
1864 | return security_ops->file_receive (file); | 1872 | return security_ops->file_receive (file); |
1865 | } | 1873 | } |
1866 | 1874 | ||
1875 | static inline int security_dentry_open (struct file *file) | ||
1876 | { | ||
1877 | return security_ops->dentry_open (file); | ||
1878 | } | ||
1879 | |||
1867 | static inline int security_task_create (unsigned long clone_flags) | 1880 | static inline int security_task_create (unsigned long clone_flags) |
1868 | { | 1881 | { |
1869 | return security_ops->task_create (clone_flags); | 1882 | return security_ops->task_create (clone_flags); |
@@ -2546,6 +2559,11 @@ static inline int security_file_receive (struct file *file) | |||
2546 | return 0; | 2559 | return 0; |
2547 | } | 2560 | } |
2548 | 2561 | ||
2562 | static inline int security_dentry_open (struct file *file) | ||
2563 | { | ||
2564 | return 0; | ||
2565 | } | ||
2566 | |||
2549 | static inline int security_task_create (unsigned long clone_flags) | 2567 | static inline int security_task_create (unsigned long clone_flags) |
2550 | { | 2568 | { |
2551 | return 0; | 2569 | return 0; |