aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorYuichi Nakamura <ynakam@hitachisoft.jp>2007-09-13 20:27:07 -0400
committerJames Morris <jmorris@namei.org>2007-10-16 18:59:31 -0400
commit788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch)
treecbe2d2a360aaf7dc243bef432e1c50507ae6db7b /security/selinux/include
parent3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff)
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating permissions in selinux_file_permission if the task or inode labels have changed or the policy has changed since the open-time check. A new LSM hook, security_dentry_open, is added to capture the necessary state at open time to allow this optimization. (see http://marc.info/?l=selinux&m=118972995207740&w=2) Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/avc.h2
-rw-r--r--security/selinux/include/objsec.h2
2 files changed, 4 insertions, 0 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index e145f6e13b0b..553607a19e92 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -112,6 +112,8 @@ int avc_has_perm(u32 ssid, u32 tsid,
112 u16 tclass, u32 requested, 112 u16 tclass, u32 requested,
113 struct avc_audit_data *auditdata); 113 struct avc_audit_data *auditdata);
114 114
115u32 avc_policy_seqno(void);
116
115#define AVC_CALLBACK_GRANT 1 117#define AVC_CALLBACK_GRANT 1
116#define AVC_CALLBACK_TRY_REVOKE 2 118#define AVC_CALLBACK_TRY_REVOKE 2
117#define AVC_CALLBACK_REVOKE 4 119#define AVC_CALLBACK_REVOKE 4
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 91b88f0ba20c..642a9fd319ad 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -53,6 +53,8 @@ struct file_security_struct {
53 struct file *file; /* back pointer to file object */ 53 struct file *file; /* back pointer to file object */
54 u32 sid; /* SID of open file description */ 54 u32 sid; /* SID of open file description */
55 u32 fown_sid; /* SID of file owner (for SIGIO) */ 55 u32 fown_sid; /* SID of file owner (for SIGIO) */
56 u32 isid; /* SID of inode at the time of file open */
57 u32 pseqno; /* Policy seqno at the time of file open */
56}; 58};
57 59
58struct superblock_security_struct { 60struct superblock_security_struct {