selinux: don't pass in NULL avd to avc_has_perm_noaudit
authorLinus Torvalds <torvalds@linux-foundation.org>
Tue, 24 May 2011 20:48:51 +0000 (13:48 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 27 May 2011 01:13:57 +0000 (18:13 -0700)
Right now security_get_user_sids() will pass in a NULL avd pointer to
avc_has_perm_noaudit(), which then forces that function to have a dummy
entry for that case and just generally test it.

Don't do it.  The normal callers all pass a real avd pointer, and this
helper function is incredibly hot.  So don't make avc_has_perm_noaudit()
do conditional stuff that isn't needed for the common case.

This also avoids some duplicated stack space.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
security/selinux/avc.c
security/selinux/ss/services.c

index fcb89cb0f2235b5801004eba9ada05738d858f58..d515b2128a4ef6f631f4113cf0fcf3575fea3e6d 100644 (file)
@@ -752,10 +752,9 @@ int avc_ss_reset(u32 seqno)
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
                         u16 tclass, u32 requested,
                         unsigned flags,
-                        struct av_decision *in_avd)
+                        struct av_decision *avd)
 {
        struct avc_node *node;
-       struct av_decision avd_entry, *avd;
        int rc = 0;
        u32 denied;
 
@@ -766,18 +765,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
        node = avc_lookup(ssid, tsid, tclass);
        if (unlikely(!node)) {
                rcu_read_unlock();
-
-               if (in_avd)
-                       avd = in_avd;
-               else
-                       avd = &avd_entry;
-
                security_compute_av(ssid, tsid, tclass, avd);
                rcu_read_lock();
                node = avc_insert(ssid, tsid, tclass, avd);
        } else {
-               if (in_avd)
-                       memcpy(in_avd, &node->ae.avd, sizeof(*in_avd));
+               memcpy(avd, &node->ae.avd, sizeof(*avd));
                avd = &node->ae.avd;
        }
 
index c3e4b52699f4ef6ad8734391c1ef01c53f06a597..973e00e34fa9f18ff95d7920a18edbeb5987a5ba 100644 (file)
@@ -2217,10 +2217,11 @@ out_unlock:
                goto out;
        }
        for (i = 0, j = 0; i < mynel; i++) {
+               struct av_decision dummy_avd;
                rc = avc_has_perm_noaudit(fromsid, mysids[i],
                                          SECCLASS_PROCESS, /* kernel value */
                                          PROCESS__TRANSITION, AVC_STRICT,
-                                         NULL);
+                                         &dummy_avd);
                if (!rc)
                        mysids2[j++] = mysids[i];
                cond_resched();