SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
21193dcd1f
commit
f1c6381a6e
|
@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
|
||||||
* @ssid: source security identifier
|
* @ssid: source security identifier
|
||||||
* @tsid: target security identifier
|
* @tsid: target security identifier
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
* @requested: requested permissions, interpreted based on @tclass
|
|
||||||
*
|
*
|
||||||
* Look up an AVC entry that is valid for the
|
* Look up an AVC entry that is valid for the
|
||||||
* @requested permissions between the SID pair
|
|
||||||
* (@ssid, @tsid), interpreting the permissions
|
* (@ssid, @tsid), interpreting the permissions
|
||||||
* based on @tclass. If a valid AVC entry exists,
|
* based on @tclass. If a valid AVC entry exists,
|
||||||
* then this function return the avc_node.
|
* then this function return the avc_node.
|
||||||
* Otherwise, this function returns NULL.
|
* Otherwise, this function returns NULL.
|
||||||
*/
|
*/
|
||||||
static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested)
|
static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
|
||||||
{
|
{
|
||||||
struct avc_node *node;
|
struct avc_node *node;
|
||||||
|
|
||||||
avc_cache_stats_incr(lookups);
|
avc_cache_stats_incr(lookups);
|
||||||
node = avc_search_node(ssid, tsid, tclass);
|
node = avc_search_node(ssid, tsid, tclass);
|
||||||
|
|
||||||
if (node && ((node->ae.avd.decided & requested) == requested)) {
|
if (node)
|
||||||
avc_cache_stats_incr(hits);
|
avc_cache_stats_incr(hits);
|
||||||
goto out;
|
else
|
||||||
}
|
avc_cache_stats_incr(misses);
|
||||||
|
|
||||||
node = NULL;
|
|
||||||
avc_cache_stats_incr(misses);
|
|
||||||
out:
|
|
||||||
return node;
|
return node;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
|
|
||||||
node = avc_lookup(ssid, tsid, tclass, requested);
|
node = avc_lookup(ssid, tsid, tclass);
|
||||||
if (!node) {
|
if (!node) {
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
||||||
|
|
|
@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap);
|
||||||
#define SEL_VEC_MAX 32
|
#define SEL_VEC_MAX 32
|
||||||
struct av_decision {
|
struct av_decision {
|
||||||
u32 allowed;
|
u32 allowed;
|
||||||
u32 decided;
|
|
||||||
u32 auditallow;
|
u32 auditallow;
|
||||||
u32 auditdeny;
|
u32 auditdeny;
|
||||||
u32 seqno;
|
u32 seqno;
|
||||||
|
|
|
@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
|
||||||
|
|
||||||
length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
|
length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
|
||||||
"%x %x %x %x %u",
|
"%x %x %x %x %u",
|
||||||
avd.allowed, avd.decided,
|
avd.allowed, 0xffffffff,
|
||||||
avd.auditallow, avd.auditdeny,
|
avd.auditallow, avd.auditdeny,
|
||||||
avd.seqno);
|
avd.seqno);
|
||||||
out2:
|
out2:
|
||||||
|
|
|
@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext,
|
||||||
* Initialize the access vectors to the default values.
|
* Initialize the access vectors to the default values.
|
||||||
*/
|
*/
|
||||||
avd->allowed = 0;
|
avd->allowed = 0;
|
||||||
avd->decided = 0xffffffff;
|
|
||||||
avd->auditallow = 0;
|
avd->auditallow = 0;
|
||||||
avd->auditdeny = 0xffffffff;
|
avd->auditdeny = 0xffffffff;
|
||||||
avd->seqno = latest_granting;
|
avd->seqno = latest_granting;
|
||||||
|
@ -743,7 +742,6 @@ int security_compute_av(u32 ssid,
|
||||||
|
|
||||||
if (!ss_initialized) {
|
if (!ss_initialized) {
|
||||||
avd->allowed = 0xffffffff;
|
avd->allowed = 0xffffffff;
|
||||||
avd->decided = 0xffffffff;
|
|
||||||
avd->auditallow = 0;
|
avd->auditallow = 0;
|
||||||
avd->auditdeny = 0xffffffff;
|
avd->auditdeny = 0xffffffff;
|
||||||
avd->seqno = latest_granting;
|
avd->seqno = latest_granting;
|
||||||
|
|
Loading…
Reference in New Issue