SELinux: Improve read/write performance

	f->f_op = fops_get(inode->i_fop);

	file_move(f, &inode->i_sb->s_files);

	error = security_dentry_open(f);

	if (error)

		goto cleanup_all;

	if (!open && f->f_op)

		open = f->f_op->open;

	if (open) {

 *	@file contains the file structure being received.

 *	Return 0 if permission is granted.

 *

 * Security hook for dentry

 *

 * @dentry_open

 *	Save open-time permission checking state for later use upon

 *	file_permission, and recheck access if anything has changed

 *	since inode_permission.

 *

 * Security hooks for task operations.

 *

 * @task_create:

	int (*file_send_sigiotask) (struct task_struct * tsk,

				    struct fown_struct * fown, int sig);

	int (*file_receive) (struct file * file);

	int (*dentry_open)  (struct file *file);

	int (*task_create) (unsigned long clone_flags);

	int (*task_alloc_security) (struct task_struct * p);

	return security_ops->file_receive (file);

}

static inline int security_dentry_open (struct file *file)

{

	return security_ops->dentry_open (file);

}

static inline int security_task_create (unsigned long clone_flags)

{

	return security_ops->task_create (clone_flags);

	return 0;

}

static inline int security_dentry_open (struct file *file)

{

	return 0;

}

static inline int security_task_create (unsigned long clone_flags)

{

	return 0;

	return 0;

}

static int dummy_dentry_open (struct file *file)

{

	return 0;

}

static int dummy_task_create (unsigned long clone_flags)

{

	return 0;

	set_to_dummy_if_null(ops, file_set_fowner);

	set_to_dummy_if_null(ops, file_send_sigiotask);

	set_to_dummy_if_null(ops, file_receive);

	set_to_dummy_if_null(ops, dentry_open);

	set_to_dummy_if_null(ops, task_create);

	set_to_dummy_if_null(ops, task_alloc_security);

	set_to_dummy_if_null(ops, task_free_security);

	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);

	return rc;

}

u32 avc_policy_seqno(void)

{

	return avc_cache.latest_notif;

}

 *                          <dgoeddel@trustedcs.com>

 *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.

 *                     Paul Moore, <paul.moore@hp.com>

 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.

 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>

 *

 *	This program is free software; you can redistribute it and/or modify

 *	it under the terms of the GNU General Public License version 2,

/* file security operations */

static int selinux_file_permission(struct file *file, int mask)

static int selinux_revalidate_file_permission(struct file *file, int mask)

{

	int rc;

	struct inode *inode = file->f_path.dentry->d_inode;

	return selinux_netlbl_inode_permission(inode, mask);

}

static int selinux_file_permission(struct file *file, int mask)

{

	struct inode *inode = file->f_path.dentry->d_inode;

	struct task_security_struct *tsec = current->security;

	struct file_security_struct *fsec = file->f_security;

	struct inode_security_struct *isec = inode->i_security;

	if (!mask) {

		/* No permission to check.  Existence test. */

		return 0;

	}

	if (tsec->sid == fsec->sid && fsec->isid == isec->sid

	    && fsec->pseqno == avc_policy_seqno())

		return selinux_netlbl_inode_permission(inode, mask);

	return selinux_revalidate_file_permission(file, mask);

}

static int selinux_file_alloc_security(struct file *file)

{

	return file_alloc_security(file);

	return file_has_perm(current, file, file_to_av(file));

}

static int selinux_dentry_open(struct file *file)

{

	struct file_security_struct *fsec;

	struct inode *inode;

	struct inode_security_struct *isec;

	inode = file->f_path.dentry->d_inode;

	fsec = file->f_security;

	isec = inode->i_security;

	/*

	 * Save inode label and policy sequence number

	 * at open-time so that selinux_file_permission

	 * can determine whether revalidation is necessary.

	 * Task label is already saved in the file security

	 * struct as its SID.

	 */

	fsec->isid = isec->sid;

	fsec->pseqno = avc_policy_seqno();

	/*

	 * Since the inode label or policy seqno may have changed

	 * between the selinux_inode_permission check and the saving

	 * of state above, recheck that access is still permitted.

	 * Otherwise, access might never be revalidated against the

	 * new inode label or new policy.

	 * This check is not redundant - do not remove.

	 */

	return inode_has_perm(current, inode, file_to_av(file), NULL);

}

/* task security operations */

static int selinux_task_create(unsigned long clone_flags)

	.file_send_sigiotask =		selinux_file_send_sigiotask,

	.file_receive =			selinux_file_receive,

	.dentry_open =                  selinux_dentry_open,

	.task_create =			selinux_task_create,

	.task_alloc_security =		selinux_task_alloc_security,

	.task_free_security =		selinux_task_free_security,