diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2007-06-07 15:34:10 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-07-11 22:52:25 -0400 |
commit | 2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518 (patch) | |
tree | bab75df9fafc435f3370a6d773d3284716347249 /security/selinux/include/avc.h | |
parent | 9dc9978084ea2a96b9f42752753d9e38a9f9d7b2 (diff) | |
download | talos-op-linux-2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518.tar.gz talos-op-linux-2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518.zip |
SELinux: allow preemption between transition permission checks
In security_get_user_sids, move the transition permission checks
outside of the section holding the policy rdlock, and use the AVC to
perform the checks, calling cond_resched after each one. These
changes should allow preemption between the individual checks and
enable caching of the results. It may however increase the overall
time spent in the function in some cases, particularly in the cache
miss case.
The long term fix will be to take much of this logic to userspace by
exporting additional state via selinuxfs, and ultimately deprecating
and eliminating this interface from the kernel.
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include/avc.h')
-rw-r--r-- | security/selinux/include/avc.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 6ed10c3d3339..e145f6e13b0b 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -102,9 +102,11 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct av_decision *avd, int result, struct avc_audit_data *auditdata); +#define AVC_STRICT 1 /* Ignore permissive mode. */ int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd); + u16 tclass, u32 requested, + unsigned flags, + struct av_decision *avd); int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, |