From 0d90a7ec48c704025307b129413bc62451b20ab3 Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:02 -0500 Subject: SELinux: Condense super block security structure flags and cleanup necessary code. The super block security structure currently has three fields for what are essentially flags. The flags field is used for mount options while two other char fields are used for initialization and proc flags. These latter two fields are essentially bit fields since the only used values are 0 and 1. These fields have been collapsed into the flags field and new bit masks have been added for them. The code is also fixed to work with these new flags. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/security.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 72447370bc95..ff4e19ccd8f8 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -37,10 +37,16 @@ #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY #endif +/* Mask for just the mount related flags */ +#define SE_MNTMASK 0x0f +/* Super block security struct flags for mount options */ #define CONTEXT_MNT 0x01 #define FSCONTEXT_MNT 0x02 #define ROOTCONTEXT_MNT 0x04 #define DEFCONTEXT_MNT 0x08 +/* Non-mount related flags */ +#define SE_SBINITIALIZED 0x10 +#define SE_SBPROC 0x20 #define CONTEXT_STR "context=" #define FSCONTEXT_STR "fscontext=" -- cgit v1.2.2 From 11689d47f0957121920c9ec646eb5d838755853a Mon Sep 17 00:00:00 2001 From: "David P. Quigley" Date: Fri, 16 Jan 2009 09:22:03 -0500 Subject: SELinux: Add new security mount option to indicate security label support. There is no easy way to tell if a file system supports SELinux security labeling. Because of this a new flag is being added to the super block security structure to indicate that the particular super block supports labeling. This flag is set for file systems using the xattr, task, and transition labeling methods unless that behavior is overridden by context mounts. Signed-off-by: David P. Quigley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/security.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ff4e19ccd8f8..e1d9db779983 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -47,11 +47,13 @@ /* Non-mount related flags */ #define SE_SBINITIALIZED 0x10 #define SE_SBPROC 0x20 +#define SE_SBLABELSUPP 0x40 #define CONTEXT_STR "context=" #define FSCONTEXT_STR "fscontext=" #define ROOTCONTEXT_STR "rootcontext=" #define DEFCONTEXT_STR "defcontext=" +#define LABELSUPP_STR "seclabel" struct netlbl_lsm_secattr; -- cgit v1.2.2 From f1c6381a6e337adcecf84be2a838bd9e610e2365 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 14:50:54 -0500 Subject: SELinux: remove unused av.decided field It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris Reviewed-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/include/security.h | 1 - 1 file changed, 1 deletion(-) (limited to 'security/selinux/include/security.h') diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e1d9db779983..5c3434f7626f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); #define SEL_VEC_MAX 32 struct av_decision { u32 allowed; - u32 decided; u32 auditallow; u32 auditdeny; u32 seqno; -- cgit v1.2.2