selinux: reduce the number of calls to synchronize_net() when flushing caches

When flushing the AVC, such as during a policy load, the various network caches are also flushed, with each making a call to synchronize_net() which has shown to be expensive in some cases. This patch consolidates the network cache flushes into a single AVC callback which only calls synchronize_net() once for each AVC cache flush. Reported-by: Jaejyn Shin <flagon22bass@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Paul Moore <pmoore@redhat.com> 2014-06-26 14:33:56 -0400
committer: Paul Moore <pmoore@redhat.com> 2014-06-26 14:33:56 -0400
commit: 615e51fdda6f274e94b1e905fcaf6111e0d9aa20 (patch)
tree: d0ce12f9f5e086c293a7255e3e712d2a42be02b9 /security/selinux/hooks.c
parent: f31e799459659ae88c341aeac16a8a5efb1271d4 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 336f0a04450e..39bc8c94b969 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
        return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
 }
+static int selinux_netcache_avc_callback(u32 event)
+{
+        if (event == AVC_CALLBACK_RESET) {
+                sel_netif_flush();
+                sel_netnode_flush();
+                sel_netport_flush();
+                synchronize_net();
+        }
+        return 0;
+}
 /*
 * initialise the security for the init task
 */
@@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
        if (register_security(&selinux_ops))
                panic("SELinux: Unable to register with kernel.\n");
+        if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
+                panic("SELinux: Unable to register AVC netcache callback\n");
        if (selinux_enforcing)
                printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
        else
author	Paul Moore <pmoore@redhat.com>	2014-06-26 14:33:56 -0400
committer	Paul Moore <pmoore@redhat.com>	2014-06-26 14:33:56 -0400
commit	615e51fdda6f274e94b1e905fcaf6111e0d9aa20 (patch)
tree	d0ce12f9f5e086c293a7255e3e712d2a42be02b9 /security/selinux/hooks.c
parent	f31e799459659ae88c341aeac16a8a5efb1271d4 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 336f0a04450e..39bc8c94b969 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
161	return (selinux_policycap_alwaysnetwork \|\| netlbl_enabled() \|\| selinux_xfrm_enabled());	161	return (selinux_policycap_alwaysnetwork \|\| netlbl_enabled() \|\| selinux_xfrm_enabled());
162	}	162	}
163		163
		164	static int selinux_netcache_avc_callback(u32 event)
		165	{
		166	if (event == AVC_CALLBACK_RESET) {
		167	sel_netif_flush();
		168	sel_netnode_flush();
		169	sel_netport_flush();
		170	synchronize_net();
		171	}
		172	return 0;
		173	}
		174
164	/*	175	/*
165	* initialise the security for the init task	176	* initialise the security for the init task
166	*/	177	*/
@@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
5993	if (register_security(&selinux_ops))	6004	if (register_security(&selinux_ops))
5994	panic("SELinux: Unable to register with kernel.\n");	6005	panic("SELinux: Unable to register with kernel.\n");
5995		6006
		6007	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
		6008	panic("SELinux: Unable to register AVC netcache callback\n");
		6009
5996	if (selinux_enforcing)	6010	if (selinux_enforcing)
5997	printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");	6011	printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5998	else	6012	else