Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
d4669f0b
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
160
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
d4669f0b
编写于
1月 16, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: add per cpu work buffers to avoid allocating buffers at every hook
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
e3ea1ca5
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
103 addition
and
1 deletion
+103
-1
security/apparmor/include/path.h
security/apparmor/include/path.h
+53
-0
security/apparmor/lsm.c
security/apparmor/lsm.c
+50
-1
未找到文件。
security/apparmor/include/path.h
浏览文件 @
d4669f0b
...
@@ -29,4 +29,57 @@ enum path_flags {
...
@@ -29,4 +29,57 @@ enum path_flags {
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
const
char
**
name
,
const
char
**
info
);
const
char
**
name
,
const
char
**
info
);
#define MAX_PATH_BUFFERS 2
/* Per cpu buffers used during mediation */
/* preallocated buffers to use during path lookups */
struct
aa_buffers
{
char
*
buf
[
MAX_PATH_BUFFERS
];
};
#include <linux/percpu.h>
#include <linux/preempt.h>
DECLARE_PER_CPU
(
struct
aa_buffers
,
aa_buffers
);
#define COUNT_ARGS(X...) COUNT_ARGS_HELPER(, ##X, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
#define COUNT_ARGS_HELPER(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, n, X...) n
#define CONCAT(X, Y) X ## Y
#define CONCAT_AFTER(X, Y) CONCAT(X, Y)
#define ASSIGN(FN, X, N) ((X) = FN(N))
#define EVAL1(FN, X) ASSIGN(FN, X, 0)
/*X = FN(0)*/
#define EVAL2(FN, X, Y...) do { ASSIGN(FN, X, 1); EVAL1(FN, Y); } while (0)
#define EVAL(FN, X...) CONCAT_AFTER(EVAL, COUNT_ARGS(X))(FN, X)
#define for_each_cpu_buffer(I) for ((I) = 0; (I) < MAX_PATH_BUFFERS; (I)++)
#ifdef CONFIG_DEBUG_PREEMPT
#define AA_BUG_PREEMPT_ENABLED(X) AA_BUG(preempt_count() <= 0, X)
#else
#define AA_BUG_PREEMPT_ENABLED(X)
/* nop */
#endif
#define __get_buffer(N) ({ \
struct aa_buffers *__cpu_var; \
AA_BUG_PREEMPT_ENABLED("__get_buffer without preempt disabled"); \
__cpu_var = this_cpu_ptr(&aa_buffers); \
__cpu_var->buf[(N)]; })
#define __get_buffers(X...) EVAL(__get_buffer, X)
#define __put_buffers(X, Y...) ((void)&(X))
#define get_buffers(X...) \
do { \
preempt_disable(); \
__get_buffers(X); \
} while (0)
#define put_buffers(X, Y...) \
do { \
__put_buffers(X, Y); \
preempt_enable(); \
} while (0)
#endif
/* __AA_PATH_H */
#endif
/* __AA_PATH_H */
security/apparmor/lsm.c
浏览文件 @
d4669f0b
...
@@ -41,6 +41,9 @@
...
@@ -41,6 +41,9 @@
/* Flag indicating whether initialization completed */
/* Flag indicating whether initialization completed */
int
apparmor_initialized
__initdata
;
int
apparmor_initialized
__initdata
;
DEFINE_PER_CPU
(
struct
aa_buffers
,
aa_buffers
);
/*
/*
* LSM hook functions
* LSM hook functions
*/
*/
...
@@ -868,6 +871,43 @@ static int __init set_init_ctx(void)
...
@@ -868,6 +871,43 @@ static int __init set_init_ctx(void)
return
0
;
return
0
;
}
}
static
void
destroy_buffers
(
void
)
{
u32
i
,
j
;
for_each_possible_cpu
(
i
)
{
for_each_cpu_buffer
(
j
)
{
kfree
(
per_cpu
(
aa_buffers
,
i
).
buf
[
j
]);
per_cpu
(
aa_buffers
,
i
).
buf
[
j
]
=
NULL
;
}
}
}
static
int
__init
alloc_buffers
(
void
)
{
u32
i
,
j
;
for_each_possible_cpu
(
i
)
{
for_each_cpu_buffer
(
j
)
{
char
*
buffer
;
if
(
cpu_to_node
(
i
)
>
num_online_nodes
())
/* fallback to kmalloc for offline nodes */
buffer
=
kmalloc
(
aa_g_path_max
,
GFP_KERNEL
);
else
buffer
=
kmalloc_node
(
aa_g_path_max
,
GFP_KERNEL
,
cpu_to_node
(
i
));
if
(
!
buffer
)
{
destroy_buffers
();
return
-
ENOMEM
;
}
per_cpu
(
aa_buffers
,
i
).
buf
[
j
]
=
buffer
;
}
}
return
0
;
}
#ifdef CONFIG_SYSCTL
#ifdef CONFIG_SYSCTL
static
int
apparmor_dointvec
(
struct
ctl_table
*
table
,
int
write
,
static
int
apparmor_dointvec
(
struct
ctl_table
*
table
,
int
write
,
void
__user
*
buffer
,
size_t
*
lenp
,
loff_t
*
ppos
)
void
__user
*
buffer
,
size_t
*
lenp
,
loff_t
*
ppos
)
...
@@ -937,11 +977,17 @@ static int __init apparmor_init(void)
...
@@ -937,11 +977,17 @@ static int __init apparmor_init(void)
}
}
error
=
alloc_buffers
();
if
(
error
)
{
AA_ERROR
(
"Unable to allocate work buffers
\n
"
);
goto
buffers_out
;
}
error
=
set_init_ctx
();
error
=
set_init_ctx
();
if
(
error
)
{
if
(
error
)
{
AA_ERROR
(
"Failed to set context on init task
\n
"
);
AA_ERROR
(
"Failed to set context on init task
\n
"
);
aa_free_root_ns
();
aa_free_root_ns
();
goto
alloc
_out
;
goto
buffers
_out
;
}
}
security_add_hooks
(
apparmor_hooks
,
ARRAY_SIZE
(
apparmor_hooks
));
security_add_hooks
(
apparmor_hooks
,
ARRAY_SIZE
(
apparmor_hooks
));
...
@@ -956,6 +1002,9 @@ static int __init apparmor_init(void)
...
@@ -956,6 +1002,9 @@ static int __init apparmor_init(void)
return
error
;
return
error
;
buffers_out:
destroy_buffers
();
alloc_out:
alloc_out:
aa_destroy_aafs
();
aa_destroy_aafs
();
aa_teardown_dfa_engine
();
aa_teardown_dfa_engine
();
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录