diff options
author | Eric Paris <eparis@redhat.com> | 2011-04-28 15:11:21 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2011-04-28 15:15:52 -0400 |
commit | 03a4c0182a156547edd5f2717c1702590fe36bbf (patch) | |
tree | c4585fab7c37d4eb2cc46e93c925e7c2a5e7b1a2 /security/selinux/ss/policydb.c | |
parent | 2667991f60e67d28c495b8967aaabf84b4ccd560 (diff) |
SELinux: skip filename trans rules if ttype does not match parent dir
Right now we walk to filename trans rule list for every inode that is
created. First passes at policy using this facility creates around 5000
filename trans rules. Running a list of 5000 entries every time is a bad
idea. This patch adds a new ebitmap to policy which has a bit set for each
ttype that has at least 1 filename trans rule. Thus when an inode is
created we can quickly determine if any rules exist for this parent
directory type and can skip the list if we know there is definitely no
relevant entry.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss/policydb.c')
-rw-r--r-- | security/selinux/ss/policydb.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 5591e422256a..4c1811972b8b 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -240,6 +240,7 @@ static int policydb_init(struct policydb *p) | |||
240 | if (!p->range_tr) | 240 | if (!p->range_tr) |
241 | goto out; | 241 | goto out; |
242 | 242 | ||
243 | ebitmap_init(&p->filename_trans_ttypes); | ||
243 | ebitmap_init(&p->policycaps); | 244 | ebitmap_init(&p->policycaps); |
244 | ebitmap_init(&p->permissive_map); | 245 | ebitmap_init(&p->permissive_map); |
245 | 246 | ||
@@ -801,6 +802,7 @@ void policydb_destroy(struct policydb *p) | |||
801 | ft = nft; | 802 | ft = nft; |
802 | } | 803 | } |
803 | 804 | ||
805 | ebitmap_destroy(&p->filename_trans_ttypes); | ||
804 | ebitmap_destroy(&p->policycaps); | 806 | ebitmap_destroy(&p->policycaps); |
805 | ebitmap_destroy(&p->permissive_map); | 807 | ebitmap_destroy(&p->permissive_map); |
806 | 808 | ||
@@ -1868,6 +1870,10 @@ static int filename_trans_read(struct policydb *p, void *fp) | |||
1868 | ft->ttype = le32_to_cpu(buf[1]); | 1870 | ft->ttype = le32_to_cpu(buf[1]); |
1869 | ft->tclass = le32_to_cpu(buf[2]); | 1871 | ft->tclass = le32_to_cpu(buf[2]); |
1870 | ft->otype = le32_to_cpu(buf[3]); | 1872 | ft->otype = le32_to_cpu(buf[3]); |
1873 | |||
1874 | rc = ebitmap_set_bit(&p->filename_trans_ttypes, ft->ttype, 1); | ||
1875 | if (rc) | ||
1876 | goto out; | ||
1871 | } | 1877 | } |
1872 | rc = 0; | 1878 | rc = 0; |
1873 | out: | 1879 | out: |