tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
selinux: don't pass in NULL avd to avc_has_perm_noaudit
Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.
Don't do it. The normal callers all pass a real avd pointer, and this
helper function is incredibly hot. So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.
This also avoids some duplicated stack space.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+4
-11
+2
-10
security/selinux/avc.c
+2
-10
security/selinux/avc.c
···
752
752
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
753
753
u16 tclass, u32 requested,
754
754
unsigned flags,
755
-
struct av_decision *in_avd)
755
+
struct av_decision *avd)
756
756
{
757
757
struct avc_node *node;
758
-
struct av_decision avd_entry, *avd;
759
758
int rc = 0;
760
759
u32 denied;
761
760
···
765
766
node = avc_lookup(ssid, tsid, tclass);
766
767
if (unlikely(!node)) {
767
768
rcu_read_unlock();
768
-
769
-
if (in_avd)
770
-
avd = in_avd;
771
-
else
772
-
avd = &avd_entry;
773
-
774
769
security_compute_av(ssid, tsid, tclass, avd);
775
770
rcu_read_lock();
776
771
node = avc_insert(ssid, tsid, tclass, avd);
777
772
} else {
778
-
if (in_avd)
779
-
memcpy(in_avd, &node->ae.avd, sizeof(*in_avd));
773
+
memcpy(avd, &node->ae.avd, sizeof(*avd));
780
774
avd = &node->ae.avd;
781
775
}
782
776
+2
-1
security/selinux/ss/services.c
+2
-1
security/selinux/ss/services.c
···
2217
2217
goto out;
2218
2218
}
2219
2219
for (i = 0, j = 0; i < mynel; i++) {
2220
+
struct av_decision dummy_avd;
2220
2221
rc = avc_has_perm_noaudit(fromsid, mysids[i],
2221
2222
SECCLASS_PROCESS, /* kernel value */
2222
2223
PROCESS__TRANSITION, AVC_STRICT,
2223
-
NULL);
2224
+
&dummy_avd);
2224
2225
if (!rc)
2225
2226
mysids2[j++] = mysids[i];
2226
2227
cond_resched();