diff options
author | Yuichi Nakamura <ynakam@hitachisoft.jp> | 2007-09-14 09:27:07 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-10-17 08:59:31 +1000 |
commit | 788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (patch) | |
tree | cbe2d2a360aaf7dc243bef432e1c50507ae6db7b /include/linux | |
parent | 3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9 (diff) | |
download | linux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.tar.gz linux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.tar.bz2 linux-788e7dd4c22e6f41b3a118fd8c291f831f6fddbb.zip |
SELinux: Improve read/write performance
It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check. A new LSM
hook, security_dentry_open, is added to capture the necessary state at open
time to allow this optimization.
(see http://marc.info/?l=selinux&m=118972995207740&w=2)
Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/security.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 1a15526e9f67..928d4793c6f4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -504,6 +504,13 @@ struct request_sock; * @file contains the file structure being received. * Return 0 if permission is granted. * + * Security hook for dentry + * + * @dentry_open + * Save open-time permission checking state for later use upon + * file_permission, and recheck access if anything has changed + * since inode_permission. + * * Security hooks for task operations. * * @task_create: @@ -1256,6 +1263,7 @@ struct security_operations { int (*file_send_sigiotask) (struct task_struct * tsk, struct fown_struct * fown, int sig); int (*file_receive) (struct file * file); + int (*dentry_open) (struct file *file); int (*task_create) (unsigned long clone_flags); int (*task_alloc_security) (struct task_struct * p); @@ -1864,6 +1872,11 @@ static inline int security_file_receive (struct file *file) return security_ops->file_receive (file); } +static inline int security_dentry_open (struct file *file) +{ + return security_ops->dentry_open (file); +} + static inline int security_task_create (unsigned long clone_flags) { return security_ops->task_create (clone_flags); @@ -2546,6 +2559,11 @@ static inline int security_file_receive (struct file *file) return 0; } +static inline int security_dentry_open (struct file *file) +{ + return 0; +} + static inline int security_task_create (unsigned long clone_flags) { return 0; |