aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-09-20 21:23:01 -0400
committerJames Morris <jmorris@namei.org>2009-09-30 05:17:06 -0400
commitaf8ff04917169805b151280155bf772d3ca9bec0 (patch)
tree1a1ec17d0926b4bbe9f8b243231582dde02ef1f5 /security/selinux
parent1669b049db50fc7f1d4e694fb115a0f408c63fce (diff)
SELinux: reset the security_ops before flushing the avc cache
This patch resets the security_ops to the secondary_ops before it flushes the avc. It's still possible that a task on another processor could have already passed the security_ops dereference and be executing an selinux hook function which would add a new avc entry. That entry would still not be freed. This should however help to reduce the number of needless avcs the kernel has when selinux is disabled at run time. There is no wasted memory if selinux is disabled on the command line or not compiled. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d7085..a985d0bc59bb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5830,12 +5830,12 @@ int selinux_disable(void)
5830 selinux_disabled = 1; 5830 selinux_disabled = 1;
5831 selinux_enabled = 0; 5831 selinux_enabled = 0;
5832 5832
5833 /* Try to destroy the avc node cache */
5834 avc_disable();
5835
5836 /* Reset security_ops to the secondary module, dummy or capability. */ 5833 /* Reset security_ops to the secondary module, dummy or capability. */
5837 security_ops = secondary_ops; 5834 security_ops = secondary_ops;
5838 5835
5836 /* Try to destroy the avc node cache */
5837 avc_disable();
5838
5839 /* Unregister netfilter hooks. */ 5839 /* Unregister netfilter hooks. */
5840 selinux_nf_ip_exit(); 5840 selinux_nf_ip_exit();
5841 5841