selinux: delay inode label lookup as long as possible

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since looking up an inode's label can result in revalidation, delay
the lookup as long as possible to limit the performance impact.

Signed-off-by: Paul Moore <paul@paul-moore.com>

Paul Moore 10 years ago 20cdef8d 2c97165b

+13 -8

1 changed file

expand all

security

selinux

hooks.c

+13 -8

security/selinux/hooks.c

··· 1790 1790 u32 *_new_isid) 1791 1791 { 1792 1792 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1793 - const struct inode_security_struct *dsec = inode_security(dir); 1794 1793 const struct task_security_struct *tsec = current_security(); 1795 1794 1796 1795 if ((sbsec->flags & SE_SBINITIALIZED) && ··· 1799 1800 tsec->create_sid) { 1800 1801 *_new_isid = tsec->create_sid; 1801 1802 } else { 1803 + const struct inode_security_struct *dsec = inode_security(dir); 1802 1804 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1803 1805 name, _new_isid); 1804 1806 } ··· 2084 2084 u32 sid = task_sid(to); 2085 2085 struct file_security_struct *fsec = file->f_security; 2086 2086 struct dentry *dentry = file->f_path.dentry; 2087 - struct inode_security_struct *isec = backing_inode_security(dentry); 2087 + struct inode_security_struct *isec; 2088 2088 struct common_audit_data ad; 2089 2089 int rc; 2090 2090 ··· 2103 2103 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2104 2104 return 0; 2105 2105 2106 + isec = backing_inode_security(dentry); 2106 2107 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2107 2108 &ad); 2108 2109 } ··· 3058 3057 const void *value, size_t size, int flags) 3059 3058 { 3060 3059 struct inode *inode = d_backing_inode(dentry); 3061 - struct inode_security_struct *isec = backing_inode_security(dentry); 3060 + struct inode_security_struct *isec; 3062 3061 struct superblock_security_struct *sbsec; 3063 3062 struct common_audit_data ad; 3064 3063 u32 newsid, sid = current_sid(); ··· 3077 3076 ad.type = LSM_AUDIT_DATA_DENTRY; 3078 3077 ad.u.dentry = dentry; 3079 3078 3079 + isec = backing_inode_security(dentry); 3080 3080 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3081 3081 FILE__RELABELFROM, &ad); 3082 3082 if (rc) ··· 3136 3134 int flags) 3137 3135 { 3138 3136 struct inode *inode = d_backing_inode(dentry); 3139 - struct inode_security_struct *isec = backing_inode_security(dentry); 3137 + struct inode_security_struct *isec; 3140 3138 u32 newsid; 3141 3139 int rc; 3142 3140 ··· 3153 3151 return; 3154 3152 } 3155 3153 3154 + isec = backing_inode_security(dentry); 3156 3155 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3157 3156 isec->sid = newsid; 3158 3157 isec->initialized = LABEL_INITIALIZED; ··· 3195 3192 u32 size; 3196 3193 int error; 3197 3194 char *context = NULL; 3198 - struct inode_security_struct *isec = inode_security(inode); 3195 + struct inode_security_struct *isec; 3199 3196 3200 3197 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3201 3198 return -EOPNOTSUPP; ··· 3214 3211 if (!error) 3215 3212 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, 3216 3213 SECURITY_CAP_NOAUDIT); 3214 + isec = inode_security(inode); 3217 3215 if (!error) 3218 3216 error = security_sid_to_context_force(isec->sid, &context, 3219 3217 &size); ··· 3324 3320 struct common_audit_data ad; 3325 3321 struct file_security_struct *fsec = file->f_security; 3326 3322 struct inode *inode = file_inode(file); 3327 - struct inode_security_struct *isec = inode_security(inode); 3323 + struct inode_security_struct *isec; 3328 3324 struct lsm_ioctlop_audit ioctl; 3329 3325 u32 ssid = cred_sid(cred); 3330 3326 int rc; ··· 3348 3344 if (unlikely(IS_PRIVATE(inode))) 3349 3345 return 0; 3350 3346 3347 + isec = inode_security(inode); 3351 3348 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3352 3349 requested, driver, xperm, &ad); 3353 3350 out: ··· 3750 3745 SYSTEM__MODULE_LOAD, NULL); 3751 3746 3752 3747 /* finit_module */ 3748 + 3753 3749 ad.type = LSM_AUDIT_DATA_PATH; 3754 3750 ad.u.path = file->f_path; 3755 3751 3756 - isec = inode_security(file_inode(file)); 3757 3752 fsec = file->f_security; 3758 - 3759 3753 if (sid != fsec->sid) { 3760 3754 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3761 3755 if (rc) 3762 3756 return rc; 3763 3757 } 3764 3758 3759 + isec = inode_security(file_inode(file)); 3765 3760 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3766 3761 SYSTEM__MODULE_LOAD, &ad); 3767 3762 }