diff options
author | Yuichi Nakamura <ynakam@hitachisoft.jp> | 2007-09-13 20:27:07 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-10-16 18:59:31 -0400 |
commit | 788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch) | |
tree | cbe2d2a360aaf7dc243bef432e1c50507ae6db7b /security/selinux/include | |
parent | 3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff) |
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check. A new LSM
hook, security_dentry_open, is added to capture the necessary state at open
time to allow this optimization.
(see http://marc.info/?l=selinux&m=118972995207740&w=2)
Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/avc.h | 2 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index e145f6e13b0b..553607a19e92 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -112,6 +112,8 @@ int avc_has_perm(u32 ssid, u32 tsid, | |||
112 | u16 tclass, u32 requested, | 112 | u16 tclass, u32 requested, |
113 | struct avc_audit_data *auditdata); | 113 | struct avc_audit_data *auditdata); |
114 | 114 | ||
115 | u32 avc_policy_seqno(void); | ||
116 | |||
115 | #define AVC_CALLBACK_GRANT 1 | 117 | #define AVC_CALLBACK_GRANT 1 |
116 | #define AVC_CALLBACK_TRY_REVOKE 2 | 118 | #define AVC_CALLBACK_TRY_REVOKE 2 |
117 | #define AVC_CALLBACK_REVOKE 4 | 119 | #define AVC_CALLBACK_REVOKE 4 |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 91b88f0ba20c..642a9fd319ad 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -53,6 +53,8 @@ struct file_security_struct { | |||
53 | struct file *file; /* back pointer to file object */ | 53 | struct file *file; /* back pointer to file object */ |
54 | u32 sid; /* SID of open file description */ | 54 | u32 sid; /* SID of open file description */ |
55 | u32 fown_sid; /* SID of file owner (for SIGIO) */ | 55 | u32 fown_sid; /* SID of file owner (for SIGIO) */ |
56 | u32 isid; /* SID of inode at the time of file open */ | ||
57 | u32 pseqno; /* Policy seqno at the time of file open */ | ||
56 | }; | 58 | }; |
57 | 59 | ||
58 | struct superblock_security_struct { | 60 | struct superblock_security_struct { |