SELinux: remove unused av.decided field

It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2009-02-12 14:50:54 -05:00 · 2009-02-12 14:50:54 -05:00 · f1c6381a6e
parent 21193dcd1f
commit f1c6381a6e
4 changed files with 6 additions and 14 deletions
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
- * @requested: requested permissions, interpreted based on @tclass
 *
 * Look up an AVC entry that is valid for the
- * @requested permissions between the SID pair
 * (@ssid, @tsid), interpreting the permissions
 * based on @tclass.  If a valid AVC entry exists,
 * then this function return the avc_node.
 * Otherwise, this function returns NULL.
 */
-static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested)
+static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
 {
 	struct avc_node *node;

 	avc_cache_stats_incr(lookups);
 	node = avc_search_node(ssid, tsid, tclass);

-	if (node && ((node->ae.avd.decided & requested) == requested)) {
+	if (node)
 		avc_cache_stats_incr(hits);
-		goto out;
-	}
+	else
+		avc_cache_stats_incr(misses);

-	node = NULL;
-	avc_cache_stats_incr(misses);
-out:
 	return node;
 }

@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,

 	rcu_read_lock();

-	node = avc_lookup(ssid, tsid, tclass, requested);
+	node = avc_lookup(ssid, tsid, tclass);
 	if (!node) {
 		rcu_read_unlock();

--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap);
 #define SEL_VEC_MAX 32
 struct av_decision {
 	u32 allowed;
-	u32 decided;
 	u32 auditallow;
 	u32 auditdeny;
 	u32 seqno;
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)

 	length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
 			  "%x %x %x %x %u",
-			  avd.allowed, avd.decided,
+			  avd.allowed, 0xffffffff,
 			  avd.auditallow, avd.auditdeny,
 			  avd.seqno);
 out2:
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext,
 	 * Initialize the access vectors to the default values.
 	 */
 	avd->allowed = 0;
-	avd->decided = 0xffffffff;
 	avd->auditallow = 0;
 	avd->auditdeny = 0xffffffff;
 	avd->seqno = latest_granting;
@ -743,7 +742,6 @@ int security_compute_av(u32 ssid,

 	if (!ss_initialized) {
 		avd->allowed = 0xffffffff;
-		avd->decided = 0xffffffff;
 		avd->auditallow = 0;
 		avd->auditdeny = 0xffffffff;
 		avd->seqno = latest_granting;