aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2011-05-24 16:48:51 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2011-05-26 21:13:57 -0400
commitf01e1af445fac107e91d62a2d59dd535f633810b (patch)
treef5da7e4162f0a6f4bb50e4cb41f6a06c672f66b0 /security
parentbc9bc72e2f9bb07384c00604d1a40d0b5f62be6c (diff)
selinux: don't pass in NULL avd to avc_has_perm_noaudit
Right now security_get_user_sids() will pass in a NULL avd pointer to avc_has_perm_noaudit(), which then forces that function to have a dummy entry for that case and just generally test it. Don't do it. The normal callers all pass a real avd pointer, and this helper function is incredibly hot. So don't make avc_has_perm_noaudit() do conditional stuff that isn't needed for the common case. This also avoids some duplicated stack space. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c12
-rw-r--r--security/selinux/ss/services.c3
2 files changed, 4 insertions, 11 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index fcb89cb0f223..d515b2128a4e 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno)
752int avc_has_perm_noaudit(u32 ssid, u32 tsid, 752int avc_has_perm_noaudit(u32 ssid, u32 tsid,
753 u16 tclass, u32 requested, 753 u16 tclass, u32 requested,
754 unsigned flags, 754 unsigned flags,
755 struct av_decision *in_avd) 755 struct av_decision *avd)
756{ 756{
757 struct avc_node *node; 757 struct avc_node *node;
758 struct av_decision avd_entry, *avd;
759 int rc = 0; 758 int rc = 0;
760 u32 denied; 759 u32 denied;
761 760
@@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
766 node = avc_lookup(ssid, tsid, tclass); 765 node = avc_lookup(ssid, tsid, tclass);
767 if (unlikely(!node)) { 766 if (unlikely(!node)) {
768 rcu_read_unlock(); 767 rcu_read_unlock();
769
770 if (in_avd)
771 avd = in_avd;
772 else
773 avd = &avd_entry;
774
775 security_compute_av(ssid, tsid, tclass, avd); 768 security_compute_av(ssid, tsid, tclass, avd);
776 rcu_read_lock(); 769 rcu_read_lock();
777 node = avc_insert(ssid, tsid, tclass, avd); 770 node = avc_insert(ssid, tsid, tclass, avd);
778 } else { 771 } else {
779 if (in_avd) 772 memcpy(avd, &node->ae.avd, sizeof(*avd));
780 memcpy(in_avd, &node->ae.avd, sizeof(*in_avd));
781 avd = &node->ae.avd; 773 avd = &node->ae.avd;
782 } 774 }
783 775
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index c3e4b52699f4..973e00e34fa9 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2217,10 +2217,11 @@ out_unlock:
2217 goto out; 2217 goto out;
2218 } 2218 }
2219 for (i = 0, j = 0; i < mynel; i++) { 2219 for (i = 0, j = 0; i < mynel; i++) {
2220 struct av_decision dummy_avd;
2220 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2221 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2221 SECCLASS_PROCESS, /* kernel value */ 2222 SECCLASS_PROCESS, /* kernel value */
2222 PROCESS__TRANSITION, AVC_STRICT, 2223 PROCESS__TRANSITION, AVC_STRICT,
2223 NULL); 2224 &dummy_avd);
2224 if (!rc) 2225 if (!rc)
2225 mysids2[j++] = mysids[i]; 2226 mysids2[j++] = mysids[i];
2226 cond_resched(); 2227 cond_resched();