diff options
author | Yuichi Nakamura <ynakam@hitachisoft.jp> | 2007-09-13 20:27:07 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-10-16 18:59:31 -0400 |
commit | 788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch) | |
tree | cbe2d2a360aaf7dc243bef432e1c50507ae6db7b /security | |
parent | 3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff) |
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check. A new LSM
hook, security_dentry_open, is added to capture the necessary state at open
time to allow this optimization.
(see http://marc.info/?l=selinux&m=118972995207740&w=2)
Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/dummy.c | 6 | ||||
-rw-r--r-- | security/selinux/avc.c | 5 | ||||
-rw-r--r-- | security/selinux/hooks.c | 53 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 2 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 2 |
5 files changed, 67 insertions, 1 deletions
diff --git a/security/dummy.c b/security/dummy.c index 853ec2292798..64b647a0d9a6 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
@@ -463,6 +463,11 @@ static int dummy_file_receive (struct file *file) | |||
463 | return 0; | 463 | return 0; |
464 | } | 464 | } |
465 | 465 | ||
466 | static int dummy_dentry_open (struct file *file) | ||
467 | { | ||
468 | return 0; | ||
469 | } | ||
470 | |||
466 | static int dummy_task_create (unsigned long clone_flags) | 471 | static int dummy_task_create (unsigned long clone_flags) |
467 | { | 472 | { |
468 | return 0; | 473 | return 0; |
@@ -1033,6 +1038,7 @@ void security_fixup_ops (struct security_operations *ops) | |||
1033 | set_to_dummy_if_null(ops, file_set_fowner); | 1038 | set_to_dummy_if_null(ops, file_set_fowner); |
1034 | set_to_dummy_if_null(ops, file_send_sigiotask); | 1039 | set_to_dummy_if_null(ops, file_send_sigiotask); |
1035 | set_to_dummy_if_null(ops, file_receive); | 1040 | set_to_dummy_if_null(ops, file_receive); |
1041 | set_to_dummy_if_null(ops, dentry_open); | ||
1036 | set_to_dummy_if_null(ops, task_create); | 1042 | set_to_dummy_if_null(ops, task_create); |
1037 | set_to_dummy_if_null(ops, task_alloc_security); | 1043 | set_to_dummy_if_null(ops, task_alloc_security); |
1038 | set_to_dummy_if_null(ops, task_free_security); | 1044 | set_to_dummy_if_null(ops, task_free_security); |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 0e69adf63bdb..81b3dff3cbf0 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -916,3 +916,8 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | |||
916 | avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); | 916 | avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); |
917 | return rc; | 917 | return rc; |
918 | } | 918 | } |
919 | |||
920 | u32 avc_policy_seqno(void) | ||
921 | { | ||
922 | return avc_cache.latest_notif; | ||
923 | } | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cf76150e623e..97b7e2738097 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -14,6 +14,8 @@ | |||
14 | * <dgoeddel@trustedcs.com> | 14 | * <dgoeddel@trustedcs.com> |
15 | * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. | 15 | * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. |
16 | * Paul Moore, <paul.moore@hp.com> | 16 | * Paul Moore, <paul.moore@hp.com> |
17 | * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. | ||
18 | * Yuichi Nakamura <ynakam@hitachisoft.jp> | ||
17 | * | 19 | * |
18 | * This program is free software; you can redistribute it and/or modify | 20 | * This program is free software; you can redistribute it and/or modify |
19 | * it under the terms of the GNU General Public License version 2, | 21 | * it under the terms of the GNU General Public License version 2, |
@@ -2464,7 +2466,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t | |||
2464 | 2466 | ||
2465 | /* file security operations */ | 2467 | /* file security operations */ |
2466 | 2468 | ||
2467 | static int selinux_file_permission(struct file *file, int mask) | 2469 | static int selinux_revalidate_file_permission(struct file *file, int mask) |
2468 | { | 2470 | { |
2469 | int rc; | 2471 | int rc; |
2470 | struct inode *inode = file->f_path.dentry->d_inode; | 2472 | struct inode *inode = file->f_path.dentry->d_inode; |
@@ -2486,6 +2488,25 @@ static int selinux_file_permission(struct file *file, int mask) | |||
2486 | return selinux_netlbl_inode_permission(inode, mask); | 2488 | return selinux_netlbl_inode_permission(inode, mask); |
2487 | } | 2489 | } |
2488 | 2490 | ||
2491 | static int selinux_file_permission(struct file *file, int mask) | ||
2492 | { | ||
2493 | struct inode *inode = file->f_path.dentry->d_inode; | ||
2494 | struct task_security_struct *tsec = current->security; | ||
2495 | struct file_security_struct *fsec = file->f_security; | ||
2496 | struct inode_security_struct *isec = inode->i_security; | ||
2497 | |||
2498 | if (!mask) { | ||
2499 | /* No permission to check. Existence test. */ | ||
2500 | return 0; | ||
2501 | } | ||
2502 | |||
2503 | if (tsec->sid == fsec->sid && fsec->isid == isec->sid | ||
2504 | && fsec->pseqno == avc_policy_seqno()) | ||
2505 | return selinux_netlbl_inode_permission(inode, mask); | ||
2506 | |||
2507 | return selinux_revalidate_file_permission(file, mask); | ||
2508 | } | ||
2509 | |||
2489 | static int selinux_file_alloc_security(struct file *file) | 2510 | static int selinux_file_alloc_security(struct file *file) |
2490 | { | 2511 | { |
2491 | return file_alloc_security(file); | 2512 | return file_alloc_security(file); |
@@ -2725,6 +2746,34 @@ static int selinux_file_receive(struct file *file) | |||
2725 | return file_has_perm(current, file, file_to_av(file)); | 2746 | return file_has_perm(current, file, file_to_av(file)); |
2726 | } | 2747 | } |
2727 | 2748 | ||
2749 | static int selinux_dentry_open(struct file *file) | ||
2750 | { | ||
2751 | struct file_security_struct *fsec; | ||
2752 | struct inode *inode; | ||
2753 | struct inode_security_struct *isec; | ||
2754 | inode = file->f_path.dentry->d_inode; | ||
2755 | fsec = file->f_security; | ||
2756 | isec = inode->i_security; | ||
2757 | /* | ||
2758 | * Save inode label and policy sequence number | ||
2759 | * at open-time so that selinux_file_permission | ||
2760 | * can determine whether revalidation is necessary. | ||
2761 | * Task label is already saved in the file security | ||
2762 | * struct as its SID. | ||
2763 | */ | ||
2764 | fsec->isid = isec->sid; | ||
2765 | fsec->pseqno = avc_policy_seqno(); | ||
2766 | /* | ||
2767 | * Since the inode label or policy seqno may have changed | ||
2768 | * between the selinux_inode_permission check and the saving | ||
2769 | * of state above, recheck that access is still permitted. | ||
2770 | * Otherwise, access might never be revalidated against the | ||
2771 | * new inode label or new policy. | ||
2772 | * This check is not redundant - do not remove. | ||
2773 | */ | ||
2774 | return inode_has_perm(current, inode, file_to_av(file), NULL); | ||
2775 | } | ||
2776 | |||
2728 | /* task security operations */ | 2777 | /* task security operations */ |
2729 | 2778 | ||
2730 | static int selinux_task_create(unsigned long clone_flags) | 2779 | static int selinux_task_create(unsigned long clone_flags) |
@@ -4794,6 +4843,8 @@ static struct security_operations selinux_ops = { | |||
4794 | .file_send_sigiotask = selinux_file_send_sigiotask, | 4843 | .file_send_sigiotask = selinux_file_send_sigiotask, |
4795 | .file_receive = selinux_file_receive, | 4844 | .file_receive = selinux_file_receive, |
4796 | 4845 | ||
4846 | .dentry_open = selinux_dentry_open, | ||
4847 | |||
4797 | .task_create = selinux_task_create, | 4848 | .task_create = selinux_task_create, |
4798 | .task_alloc_security = selinux_task_alloc_security, | 4849 | .task_alloc_security = selinux_task_alloc_security, |
4799 | .task_free_security = selinux_task_free_security, | 4850 | .task_free_security = selinux_task_free_security, |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index e145f6e13b0b..553607a19e92 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -112,6 +112,8 @@ int avc_has_perm(u32 ssid, u32 tsid, | |||
112 | u16 tclass, u32 requested, | 112 | u16 tclass, u32 requested, |
113 | struct avc_audit_data *auditdata); | 113 | struct avc_audit_data *auditdata); |
114 | 114 | ||
115 | u32 avc_policy_seqno(void); | ||
116 | |||
115 | #define AVC_CALLBACK_GRANT 1 | 117 | #define AVC_CALLBACK_GRANT 1 |
116 | #define AVC_CALLBACK_TRY_REVOKE 2 | 118 | #define AVC_CALLBACK_TRY_REVOKE 2 |
117 | #define AVC_CALLBACK_REVOKE 4 | 119 | #define AVC_CALLBACK_REVOKE 4 |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 91b88f0ba20c..642a9fd319ad 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -53,6 +53,8 @@ struct file_security_struct { | |||
53 | struct file *file; /* back pointer to file object */ | 53 | struct file *file; /* back pointer to file object */ |
54 | u32 sid; /* SID of open file description */ | 54 | u32 sid; /* SID of open file description */ |
55 | u32 fown_sid; /* SID of file owner (for SIGIO) */ | 55 | u32 fown_sid; /* SID of file owner (for SIGIO) */ |
56 | u32 isid; /* SID of inode at the time of file open */ | ||
57 | u32 pseqno; /* Policy seqno at the time of file open */ | ||
56 | }; | 58 | }; |
57 | 59 | ||
58 | struct superblock_security_struct { | 60 | struct superblock_security_struct { |