1. 08 4月, 2008 1 次提交
  2. 06 2月, 2008 1 次提交
  3. 02 2月, 2008 2 次提交
  4. 01 2月, 2008 1 次提交
  5. 30 1月, 2008 5 次提交
  6. 26 1月, 2008 1 次提交
  7. 25 1月, 2008 2 次提交
  8. 22 1月, 2008 1 次提交
  9. 08 11月, 2007 2 次提交
  10. 17 10月, 2007 4 次提交
    • K
      SELinux: kills warnings in Improve SELinux performance when AVC misses · 087feb98
      KaiGai Kohei 提交于
      This patch kills ugly warnings when the "Improve SELinux performance
      when ACV misses" patch.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      087feb98
    • K
      SELinux: improve performance when AVC misses. · 9fe79ad1
      KaiGai Kohei 提交于
      * We add ebitmap_for_each_positive_bit() which enables to walk on
        any positive bit on the given ebitmap, to improve its performance
        using common bit-operations defined in linux/bitops.h.
        In the previous version, this logic was implemented using a combination
        of ebitmap_for_each_bit() and ebitmap_node_get_bit(), but is was worse
        in performance aspect.
        This logic is most frequestly used to compute a new AVC entry,
        so this patch can improve SELinux performance when AVC misses are happen.
      * struct ebitmap_node is redefined as an array of "unsigned long", to get
        suitable for using find_next_bit() which is fasted than iteration of
        shift and logical operation, and to maximize memory usage allocated
        from general purpose slab.
      * Any ebitmap_for_each_bit() are repleced by the new implementation
        in ss/service.c and ss/mls.c. Some of related implementation are
        changed, however, there is no incompatibility with the previous
        version.
      * The width of any new line are less or equal than 80-chars.
      
      The following benchmark shows the effect of this patch, when we
      access many files which have different security context one after
      another. The number is more than /selinux/avc/cache_threshold, so
      any access always causes AVC misses.
      
            selinux-2.6      selinux-2.6-ebitmap
      AVG:   22.763 [s]          8.750 [s]
      STD:    0.265              0.019
      ------------------------------------------
      1st:   22.558 [s]          8.786 [s]
      2nd:   22.458 [s]          8.750 [s]
      3rd:   22.478 [s]          8.754 [s]
      4th:   22.724 [s]          8.745 [s]
      5th:   22.918 [s]          8.748 [s]
      6th:   22.905 [s]          8.764 [s]
      7th:   23.238 [s]          8.726 [s]
      8th:   22.822 [s]          8.729 [s]
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9fe79ad1
    • E
      SELinux: policy selectable handling of unknown classes and perms · 3f12070e
      Eric Paris 提交于
      Allow policy to select, in much the same way as it selects MLS support, how
      the kernel should handle access decisions which contain either unknown
      classes or unknown permissions in known classes.  The three choices for the
      policy flags are
      
      0 - Deny unknown security access. (default)
      2 - reject loading policy if it does not contain all definitions
      4 - allow unknown security access
      
      The policy's choice is exported through 2 booleans in
      selinuxfs.  /selinux/deny_unknown and /selinux/reject_unknown.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3f12070e
    • Y
      SELinux: tune avtab to reduce memory usage · 3232c110
      Yuichi Nakamura 提交于
      This patch reduces memory usage of SELinux by tuning avtab. Number of hash
      slots in avtab was 32768. Unused slots used memory when number of rules is
      fewer. This patch decides number of hash slots dynamically based on number
      of rules. (chain length)^2 is also printed out in avtab_hash_eval to see
      standard deviation of avtab hash table.
      
      Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3232c110
  11. 16 8月, 2007 1 次提交
  12. 01 8月, 2007 1 次提交
  13. 23 7月, 2007 1 次提交
  14. 20 7月, 2007 1 次提交
    • P
      mm: Remove slab destructors from kmem_cache_create(). · 20c2df83
      Paul Mundt 提交于
      Slab destructors were no longer supported after Christoph's
      c59def9f change. They've been
      BUGs for both slab and slub, and slob never supported them
      either.
      
      This rips out support for the dtor pointer from kmem_cache_create()
      completely and fixes up every single callsite in the kernel (there were
      about 224, not including the slab allocator definitions themselves,
      or the documentation references).
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      20c2df83
  15. 12 7月, 2007 3 次提交
    • S
      SELinux: allow preemption between transition permission checks · 2c3c05db
      Stephen Smalley 提交于
      In security_get_user_sids, move the transition permission checks
      outside of the section holding the policy rdlock, and use the AVC to
      perform the checks, calling cond_resched after each one.  These
      changes should allow preemption between the individual checks and
      enable caching of the results.  It may however increase the overall
      time spent in the function in some cases, particularly in the cache
      miss case.
      
      The long term fix will be to take much of this logic to userspace by
      exporting additional state via selinuxfs, and ultimately deprecating
      and eliminating this interface from the kernel.
      Tested-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2c3c05db
    • E
      selinux: introduce schedule points in policydb_destroy() · 9dc99780
      Eric Paris 提交于
      During the LSPP testing we found that it was possible for
      policydb_destroy() to take 10+ seconds of kernel time to complete.
      Basically all policydb_destroy() does is walk some (possibly long) lists
      and free the memory it finds.  Turning off slab debugging config options
      made the problem go away since the actual functions which took most of
      the time were (as seen by oprofile)
      
      > 121202   23.9879  .check_poison_obj
      > 78247    15.4864  .check_slabp
      
      were caused by that.  So I decided to also add some voluntary schedule
      points in that code so config voluntary preempt would be enough to solve
      the problem.  Something similar was done in places like
      shmem_free_pages() when we have to walk a list of memory and free it.
      This was tested by the LSPP group on the hardware which could reproduce
      the problem just loading a new policy and was found to not trigger the
      softlock detector.  It takes just as much processing time, but the
      kernel doesn't spend all that time stuck doing one thing and never
      scheduling.
      
      Someday a better way to handle memory might make the time needed in this
      function a lot less, but this fixes the current issue as it stands
      today.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9dc99780
    • C
      selinux: add support for querying object classes and permissions from the running policy · 55fcf09b
      Christopher J. PeBenito 提交于
      Add support to the SELinux security server for obtaining a list of classes,
      and for obtaining a list of permissions for a specified class.
      Signed-off-by: NChristopher J. PeBenito <cpebenito@tresys.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      55fcf09b
  16. 26 4月, 2007 6 次提交
  17. 27 2月, 2007 2 次提交
  18. 15 2月, 2007 1 次提交
    • T
      [PATCH] remove many unneeded #includes of sched.h · cd354f1a
      Tim Schmielau 提交于
      After Al Viro (finally) succeeded in removing the sched.h #include in module.h
      recently, it makes sense again to remove other superfluous sched.h includes.
      There are quite a lot of files which include it but don't actually need
      anything defined in there.  Presumably these includes were once needed for
      macros that used to live in sched.h, but moved to other header files in the
      course of cleaning it up.
      
      To ease the pain, this time I did not fiddle with any header files and only
      removed #includes from .c-files, which tend to cause less trouble.
      
      Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
      arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
      allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
      configs in arch/arm/configs on arm.  I also checked that no new warnings were
      introduced by the patch (actually, some warnings are removed that were emitted
      by unnecessarily included header files).
      Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
      Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cd354f1a
  19. 12 2月, 2007 1 次提交
  20. 27 1月, 2007 1 次提交
  21. 24 1月, 2007 1 次提交
  22. 09 1月, 2007 1 次提交