Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f1c6381a authored by Eric Paris's avatar Eric Paris Committed by James Morris
Browse files

SELinux: remove unused av.decided field 



It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win.  We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.

This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Reviewed-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 21193dcd

security/selinux/avc.c

+5 −10
Original line number Diff line number Diff line
@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) 
 * @ssid: source security identifier

 * @tsid: target security identifier

 * @tclass: target security class

 * @requested: requested permissions, interpreted based on @tclass

 *

 * Look up an AVC entry that is valid for the

 * @requested permissions between the SID pair

 * (@ssid, @tsid), interpreting the permissions

 * based on @tclass.  If a valid AVC entry exists,

 * then this function return the avc_node.

 * Otherwise, this function returns NULL.

 */

static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested)

static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)

{

	struct avc_node *node;



	avc_cache_stats_incr(lookups);

	node = avc_search_node(ssid, tsid, tclass);



	if (node && ((node->ae.avd.decided & requested) == requested)) {

	if (node)

		avc_cache_stats_incr(hits);

		goto out;

	}



	node = NULL;

	else

		avc_cache_stats_incr(misses);

out:



	return node;

}
@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, 


	rcu_read_lock();



	node = avc_lookup(ssid, tsid, tclass, requested);

	node = avc_lookup(ssid, tsid, tclass);

	if (!node) {

		rcu_read_unlock();

security/selinux/include/security.h

+0 −1
Original line number Diff line number Diff line
@@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); 
#define SEL_VEC_MAX 32

struct av_decision {

	u32 allowed;

	u32 decided;

	u32 auditallow;

	u32 auditdeny;

	u32 seqno;

security/selinux/selinuxfs.c

+1 −1
Original line number Diff line number Diff line
@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) 


	length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,

			  "%x %x %x %x %u",

			  avd.allowed, avd.decided,

			  avd.allowed, 0xffffffff,

			  avd.auditallow, avd.auditdeny,

			  avd.seqno);

out2:

security/selinux/ss/services.c

+0 −2
Original line number Diff line number Diff line
@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext, 
	 * Initialize the access vectors to the default values.

	 */

	avd->allowed = 0;

	avd->decided = 0xffffffff;

	avd->auditallow = 0;

	avd->auditdeny = 0xffffffff;

	avd->seqno = latest_granting;
@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid, 


	if (!ss_initialized) {

		avd->allowed = 0xffffffff;

		avd->decided = 0xffffffff;

		avd->auditallow = 0;

		avd->auditdeny = 0xffffffff;

		avd->seqno = latest_granting;