提交 f1c6381a 编写于 作者: E Eric Paris 提交者: James Morris

SELinux: remove unused av.decided field

It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win.  We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.

This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NPaul Moore <paul.moore@hp.com>
Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 21193dcd
...@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) ...@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
* @ssid: source security identifier * @ssid: source security identifier
* @tsid: target security identifier * @tsid: target security identifier
* @tclass: target security class * @tclass: target security class
* @requested: requested permissions, interpreted based on @tclass
* *
* Look up an AVC entry that is valid for the * Look up an AVC entry that is valid for the
* @requested permissions between the SID pair
* (@ssid, @tsid), interpreting the permissions * (@ssid, @tsid), interpreting the permissions
* based on @tclass. If a valid AVC entry exists, * based on @tclass. If a valid AVC entry exists,
* then this function return the avc_node. * then this function return the avc_node.
* Otherwise, this function returns NULL. * Otherwise, this function returns NULL.
*/ */
static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
{ {
struct avc_node *node; struct avc_node *node;
avc_cache_stats_incr(lookups); avc_cache_stats_incr(lookups);
node = avc_search_node(ssid, tsid, tclass); node = avc_search_node(ssid, tsid, tclass);
if (node && ((node->ae.avd.decided & requested) == requested)) { if (node)
avc_cache_stats_incr(hits); avc_cache_stats_incr(hits);
goto out; else
}
node = NULL;
avc_cache_stats_incr(misses); avc_cache_stats_incr(misses);
out:
return node; return node;
} }
...@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
rcu_read_lock(); rcu_read_lock();
node = avc_lookup(ssid, tsid, tclass, requested); node = avc_lookup(ssid, tsid, tclass);
if (!node) { if (!node) {
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); ...@@ -88,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap);
#define SEL_VEC_MAX 32 #define SEL_VEC_MAX 32
struct av_decision { struct av_decision {
u32 allowed; u32 allowed;
u32 decided;
u32 auditallow; u32 auditallow;
u32 auditdeny; u32 auditdeny;
u32 seqno; u32 seqno;
......
...@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) ...@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
"%x %x %x %x %u", "%x %x %x %x %u",
avd.allowed, avd.decided, avd.allowed, 0xffffffff,
avd.auditallow, avd.auditdeny, avd.auditallow, avd.auditdeny,
avd.seqno); avd.seqno);
out2: out2:
......
...@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext, ...@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext,
* Initialize the access vectors to the default values. * Initialize the access vectors to the default values.
*/ */
avd->allowed = 0; avd->allowed = 0;
avd->decided = 0xffffffff;
avd->auditallow = 0; avd->auditallow = 0;
avd->auditdeny = 0xffffffff; avd->auditdeny = 0xffffffff;
avd->seqno = latest_granting; avd->seqno = latest_granting;
...@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid, ...@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid,
if (!ss_initialized) { if (!ss_initialized) {
avd->allowed = 0xffffffff; avd->allowed = 0xffffffff;
avd->decided = 0xffffffff;
avd->auditallow = 0; avd->auditallow = 0;
avd->auditdeny = 0xffffffff; avd->auditdeny = 0xffffffff;
avd->seqno = latest_granting; avd->seqno = latest_granting;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部