Commit f01e1af4 authored by Linus Torvalds's avatar Linus Torvalds

selinux: don't pass in NULL avd to avc_has_perm_noaudit

Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.

Don't do it.  The normal callers all pass a real avd pointer, and this
helper function is incredibly hot.  So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.

This also avoids some duplicated stack space.
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent bc9bc72e
...@@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno) ...@@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno)
int avc_has_perm_noaudit(u32 ssid, u32 tsid, int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested, u16 tclass, u32 requested,
unsigned flags, unsigned flags,
struct av_decision *in_avd) struct av_decision *avd)
{ {
struct avc_node *node; struct avc_node *node;
struct av_decision avd_entry, *avd;
int rc = 0; int rc = 0;
u32 denied; u32 denied;
...@@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
node = avc_lookup(ssid, tsid, tclass); node = avc_lookup(ssid, tsid, tclass);
if (unlikely(!node)) { if (unlikely(!node)) {
rcu_read_unlock(); rcu_read_unlock();
if (in_avd)
avd = in_avd;
else
avd = &avd_entry;
security_compute_av(ssid, tsid, tclass, avd); security_compute_av(ssid, tsid, tclass, avd);
rcu_read_lock(); rcu_read_lock();
node = avc_insert(ssid, tsid, tclass, avd); node = avc_insert(ssid, tsid, tclass, avd);
} else { } else {
if (in_avd) memcpy(avd, &node->ae.avd, sizeof(*avd));
memcpy(in_avd, &node->ae.avd, sizeof(*in_avd));
avd = &node->ae.avd; avd = &node->ae.avd;
} }
......
...@@ -2217,10 +2217,11 @@ int security_get_user_sids(u32 fromsid, ...@@ -2217,10 +2217,11 @@ int security_get_user_sids(u32 fromsid,
goto out; goto out;
} }
for (i = 0, j = 0; i < mynel; i++) { for (i = 0, j = 0; i < mynel; i++) {
struct av_decision dummy_avd;
rc = avc_has_perm_noaudit(fromsid, mysids[i], rc = avc_has_perm_noaudit(fromsid, mysids[i],
SECCLASS_PROCESS, /* kernel value */ SECCLASS_PROCESS, /* kernel value */
PROCESS__TRANSITION, AVC_STRICT, PROCESS__TRANSITION, AVC_STRICT,
NULL); &dummy_avd);
if (!rc) if (!rc)
mysids2[j++] = mysids[i]; mysids2[j++] = mysids[i];
cond_resched(); cond_resched();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment