Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f01e1af4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

selinux: don't pass in NULL avd to avc_has_perm_noaudit 



Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.

Don't do it.  The normal callers all pass a real avd pointer, and this
helper function is incredibly hot.  So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.

This also avoids some duplicated stack space.

Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent bc9bc72e

security/selinux/avc.c

+2 −10
Original line number Diff line number Diff line
@@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno) 
int avc_has_perm_noaudit(u32 ssid, u32 tsid,

			 u16 tclass, u32 requested,

			 unsigned flags,

			 struct av_decision *in_avd)

			 struct av_decision *avd)

{

	struct avc_node *node;

	struct av_decision avd_entry, *avd;

	int rc = 0;

	u32 denied;
@@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, 
	node = avc_lookup(ssid, tsid, tclass);

	if (unlikely(!node)) {

		rcu_read_unlock();



		if (in_avd)

			avd = in_avd;

		else

			avd = &avd_entry;



		security_compute_av(ssid, tsid, tclass, avd);

		rcu_read_lock();

		node = avc_insert(ssid, tsid, tclass, avd);

	} else {

		if (in_avd)

			memcpy(in_avd, &node->ae.avd, sizeof(*in_avd));

		memcpy(avd, &node->ae.avd, sizeof(*avd));

		avd = &node->ae.avd;

	}

security/selinux/ss/services.c

+2 −1
Original line number Diff line number Diff line
@@ -2217,10 +2217,11 @@ out_unlock: 
		goto out;

	}

	for (i = 0, j = 0; i < mynel; i++) {

		struct av_decision dummy_avd;

		rc = avc_has_perm_noaudit(fromsid, mysids[i],

					  SECCLASS_PROCESS, /* kernel value */

					  PROCESS__TRANSITION, AVC_STRICT,

					  NULL);

					  &dummy_avd);

		if (!rc)

			mysids2[j++] = mysids[i];

		cond_resched();