summaryrefslogtreecommitdiffstats
path: root/security/selinux/avc.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-02-12 14:50:54 -0500
committerJames Morris <jmorris@namei.org>2009-02-14 09:23:08 +1100
commitf1c6381a6e337adcecf84be2a838bd9e610e2365 (patch)
treea6e0857db27a38b0976fb422836f9443241b4b61 /security/selinux/avc.c
parent21193dcd1f3570ddfd8a04f4465e484c1f94252f (diff)
downloadlinux-f1c6381a6e337adcecf84be2a838bd9e610e2365.tar.gz
linux-f1c6381a6e337adcecf84be2a838bd9e610e2365.tar.bz2
linux-f1c6381a6e337adcecf84be2a838bd9e610e2365.zip
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/avc.c')
-rw-r--r--security/selinux/avc.c15
1 files changed, 5 insertions, 10 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 2a84dec4adfe..326aa78bd421 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
- * @requested: requested permissions, interpreted based on @tclass
*
* Look up an AVC entry that is valid for the
- * @requested permissions between the SID pair
* (@ssid, @tsid), interpreting the permissions
* based on @tclass. If a valid AVC entry exists,
* then this function return the avc_node.
* Otherwise, this function returns NULL.
*/
-static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested)
+static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
{
struct avc_node *node;
avc_cache_stats_incr(lookups);
node = avc_search_node(ssid, tsid, tclass);
- if (node && ((node->ae.avd.decided & requested) == requested)) {
+ if (node)
avc_cache_stats_incr(hits);
- goto out;
- }
+ else
+ avc_cache_stats_incr(misses);
- node = NULL;
- avc_cache_stats_incr(misses);
-out:
return node;
}
@@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
rcu_read_lock();
- node = avc_lookup(ssid, tsid, tclass, requested);
+ node = avc_lookup(ssid, tsid, tclass);
if (!node) {
rcu_read_unlock();