summaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorYuichi Nakamura <ynakam@hitachisoft.jp>2007-09-14 09:27:07 +0900
committerJames Morris <jmorris@namei.org>2007-10-17 08:59:31 +1000
commit788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch)
treecbe2d2a360aaf7dc243bef432e1c50507ae6db7b /include/linux
parent3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff)
downloadlinux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.tar.gz
linux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.tar.bz2
linux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.zip
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating permissions in selinux_file_permission if the task or inode labels have changed or the policy has changed since the open-time check. A new LSM hook, security_dentry_open, is added to capture the necessary state at open time to allow this optimization. (see http://marc.info/?l=selinux&m=118972995207740&w=2) Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/security.h18
1 files changed, 18 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 1a15526e9f67..928d4793c6f4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -504,6 +504,13 @@ struct request_sock;
* @file contains the file structure being received.
* Return 0 if permission is granted.
*
+ * Security hook for dentry
+ *
+ * @dentry_open
+ * Save open-time permission checking state for later use upon
+ * file_permission, and recheck access if anything has changed
+ * since inode_permission.
+ *
* Security hooks for task operations.
*
* @task_create:
@@ -1256,6 +1263,7 @@ struct security_operations {
int (*file_send_sigiotask) (struct task_struct * tsk,
struct fown_struct * fown, int sig);
int (*file_receive) (struct file * file);
+ int (*dentry_open) (struct file *file);
int (*task_create) (unsigned long clone_flags);
int (*task_alloc_security) (struct task_struct * p);
@@ -1864,6 +1872,11 @@ static inline int security_file_receive (struct file *file)
return security_ops->file_receive (file);
}
+static inline int security_dentry_open (struct file *file)
+{
+ return security_ops->dentry_open (file);
+}
+
static inline int security_task_create (unsigned long clone_flags)
{
return security_ops->task_create (clone_flags);
@@ -2546,6 +2559,11 @@ static inline int security_file_receive (struct file *file)
return 0;
}
+static inline int security_dentry_open (struct file *file)
+{
+ return 0;
+}
+
static inline int security_task_create (unsigned long clone_flags)
{
return 0;