diff options
author | Eric Paris <eparis@redhat.com> | 2009-02-12 14:50:54 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-14 09:23:08 +1100 |
commit | f1c6381a6e337adcecf84be2a838bd9e610e2365 (patch) | |
tree | a6e0857db27a38b0976fb422836f9443241b4b61 /security | |
parent | 21193dcd1f3570ddfd8a04f4465e484c1f94252f (diff) | |
download | lwn-f1c6381a6e337adcecf84be2a838bd9e610e2365.tar.gz lwn-f1c6381a6e337adcecf84be2a838bd9e610e2365.zip |
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win. We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.
This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/avc.c | 15 | ||||
-rw-r--r-- | security/selinux/include/security.h | 1 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 2 |
4 files changed, 6 insertions, 14 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 2a84dec4adfe..326aa78bd421 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class - * @requested: requested permissions, interpreted based on @tclass * * Look up an AVC entry that is valid for the - * @requested permissions between the SID pair * (@ssid, @tsid), interpreting the permissions * based on @tclass. If a valid AVC entry exists, * then this function return the avc_node. * Otherwise, this function returns NULL. */ -static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) +static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) { struct avc_node *node; avc_cache_stats_incr(lookups); node = avc_search_node(ssid, tsid, tclass); - if (node && ((node->ae.avd.decided & requested) == requested)) { + if (node) avc_cache_stats_incr(hits); - goto out; - } + else + avc_cache_stats_incr(misses); - node = NULL; - avc_cache_stats_incr(misses); -out: return node; } @@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, rcu_read_lock(); - node = avc_lookup(ssid, tsid, tclass, requested); + node = avc_lookup(ssid, tsid, tclass); if (!node) { rcu_read_unlock(); diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e1d9db779983..5c3434f7626f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); #define SEL_VEC_MAX 32 struct av_decision { u32 allowed; - u32 decided; u32 auditallow; u32 auditdeny; u32 seqno; diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 01ec6d2c6b97..d3c8b982cfb0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, "%x %x %x %x %u", - avd.allowed, avd.decided, + avd.allowed, 0xffffffff, avd.auditallow, avd.auditdeny, avd.seqno); out2: diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c65e4fe4a0f1..deeec6c013ae 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext, * Initialize the access vectors to the default values. */ avd->allowed = 0; - avd->decided = 0xffffffff; avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; @@ -743,7 +742,6 @@ int security_compute_av(u32 ssid, if (!ss_initialized) { avd->allowed = 0xffffffff; - avd->decided = 0xffffffff; avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; |