diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-05-24 16:48:51 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-05-26 21:13:57 -0400 |
| commit | f01e1af445fac107e91d62a2d59dd535f633810b (patch) | |
| tree | f5da7e4162f0a6f4bb50e4cb41f6a06c672f66b0 /security | |
| parent | bc9bc72e2f9bb07384c00604d1a40d0b5f62be6c (diff) | |
selinux: don't pass in NULL avd to avc_has_perm_noaudit
Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.
Don't do it. The normal callers all pass a real avd pointer, and this
helper function is incredibly hot. So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.
This also avoids some duplicated stack space.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/avc.c | 12 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 3 |
2 files changed, 4 insertions, 11 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index fcb89cb0f223..d515b2128a4e 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno) | |||
| 752 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 752 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
| 753 | u16 tclass, u32 requested, | 753 | u16 tclass, u32 requested, |
| 754 | unsigned flags, | 754 | unsigned flags, |
| 755 | struct av_decision *in_avd) | 755 | struct av_decision *avd) |
| 756 | { | 756 | { |
| 757 | struct avc_node *node; | 757 | struct avc_node *node; |
| 758 | struct av_decision avd_entry, *avd; | ||
| 759 | int rc = 0; | 758 | int rc = 0; |
| 760 | u32 denied; | 759 | u32 denied; |
| 761 | 760 | ||
| @@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 766 | node = avc_lookup(ssid, tsid, tclass); | 765 | node = avc_lookup(ssid, tsid, tclass); |
| 767 | if (unlikely(!node)) { | 766 | if (unlikely(!node)) { |
| 768 | rcu_read_unlock(); | 767 | rcu_read_unlock(); |
| 769 | |||
| 770 | if (in_avd) | ||
| 771 | avd = in_avd; | ||
| 772 | else | ||
| 773 | avd = &avd_entry; | ||
| 774 | |||
| 775 | security_compute_av(ssid, tsid, tclass, avd); | 768 | security_compute_av(ssid, tsid, tclass, avd); |
| 776 | rcu_read_lock(); | 769 | rcu_read_lock(); |
| 777 | node = avc_insert(ssid, tsid, tclass, avd); | 770 | node = avc_insert(ssid, tsid, tclass, avd); |
| 778 | } else { | 771 | } else { |
| 779 | if (in_avd) | 772 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
| 780 | memcpy(in_avd, &node->ae.avd, sizeof(*in_avd)); | ||
| 781 | avd = &node->ae.avd; | 773 | avd = &node->ae.avd; |
| 782 | } | 774 | } |
| 783 | 775 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c3e4b52699f4..973e00e34fa9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -2217,10 +2217,11 @@ out_unlock: | |||
| 2217 | goto out; | 2217 | goto out; |
| 2218 | } | 2218 | } |
| 2219 | for (i = 0, j = 0; i < mynel; i++) { | 2219 | for (i = 0, j = 0; i < mynel; i++) { |
| 2220 | struct av_decision dummy_avd; | ||
| 2220 | rc = avc_has_perm_noaudit(fromsid, mysids[i], | 2221 | rc = avc_has_perm_noaudit(fromsid, mysids[i], |
| 2221 | SECCLASS_PROCESS, /* kernel value */ | 2222 | SECCLASS_PROCESS, /* kernel value */ |
| 2222 | PROCESS__TRANSITION, AVC_STRICT, | 2223 | PROCESS__TRANSITION, AVC_STRICT, |
| 2223 | NULL); | 2224 | &dummy_avd); |
| 2224 | if (!rc) | 2225 | if (!rc) |
| 2225 | mysids2[j++] = mysids[i]; | 2226 | mysids2[j++] = mysids[i]; |
| 2226 | cond_resched(); | 2227 | cond_resched(); |