SELinux: Improve read/write performance

It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check.  A new LSM
hook, security_dentry_open, is added to capture the necessary state at open
time to allow this optimization.

(see http://marc.info/?l=selinux&m=118972995207740&w=2)

Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/security/dummy.c b/security/dummy.c
index 853ec2292798..64b647a0d9a6 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -463,6 +463,11 @@ static int dummy_file_receive (struct file *file)
         return 0;
 }
 
+static int dummy_dentry_open (struct file *file)
+{
+        return 0;
+}
+
 static int dummy_task_create (unsigned long clone_flags)
 {
         return 0;
@@ -1033,6 +1038,7 @@ void security_fixup_ops (struct security_operations *ops)
         set_to_dummy_if_null(ops, file_set_fowner);
         set_to_dummy_if_null(ops, file_send_sigiotask);
         set_to_dummy_if_null(ops, file_receive);
+        set_to_dummy_if_null(ops, dentry_open);
         set_to_dummy_if_null(ops, task_create);
         set_to_dummy_if_null(ops, task_alloc_security);
         set_to_dummy_if_null(ops, task_free_security);