From 778aae84ef694325662447eceba1a5f7d3eebdbb Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 26 Mar 2012 16:38:47 +0100 Subject: SELinux: selinux/xfrm.h needs net/flow.h selinux/xfrm.h needs to #include net/flow.h or else suffer: In file included from security/selinux/ss/services.c:69:0: security/selinux/include/xfrm.h: In function 'selinux_xfrm_notify_policyload': security/selinux/include/xfrm.h:53:14: error: 'flow_cache_genid' undeclared (first use in this function) security/selinux/include/xfrm.h:53:14: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: David Howells --- security/selinux/include/xfrm.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/selinux/include') diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index b43813c9e049..c220f314709c 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h @@ -7,6 +7,8 @@ #ifndef _SELINUX_XFRM_H_ #define _SELINUX_XFRM_H_ +#include + int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx); int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, -- cgit v1.2.3 From 9ffc93f203c18a70623f21950f1dd473c9ec48cd Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 28 Mar 2012 18:30:03 +0100 Subject: Remove all #inclusions of asm/system.h Remove all #inclusions of asm/system.h preparatory to splitting and killing it. Performed with the following command: perl -p -i -e 's!^#\s*include\s*.*\n!!' `grep -Irl '^#\s*include\s*' *` Signed-off-by: David Howells --- security/selinux/include/avc.h | 1 - 1 file changed, 1 deletion(-) (limited to 'security/selinux/include') diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 47fda963495d..005a91bcb200 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -15,7 +15,6 @@ #include #include #include -#include #include "flask.h" #include "av_permissions.h" #include "security.h" -- cgit v1.2.3 From 3b3b0e4fc15efa507b902d90cea39e496a523c3b Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Apr 2012 09:37:02 -0700 Subject: LSM: shrink sizeof LSM specific portion of common_audit_data Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds --- security/selinux/include/avc.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'security/selinux/include') diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 005a91bcb200..fa13f17ce0ff 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -46,6 +46,22 @@ struct avc_cache_stats { unsigned int frees; }; +struct selinux_audit_data { + u32 ssid; + u32 tsid; + u16 tclass; + u32 requested; + u32 audited; + u32 denied; + /* + * auditdeny is a bit tricky and unintuitive. See the + * comments in avc.c for it's meaning and usage. + */ + u32 auditdeny; + struct av_decision *avd; + int result; +}; + /* * AVC operations */ -- cgit v1.2.3 From 7f6a47cf1477ffae9cff1d6ee181e2ce6bfb2f02 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 2 Apr 2012 13:15:50 -0400 Subject: SELinux: remove avd from selinux_audit_data We do not use it. Remove it. Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds --- security/selinux/include/avc.h | 1 - 1 file changed, 1 deletion(-) (limited to 'security/selinux/include') diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index fa13f17ce0ff..09c3eda12128 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -58,7 +58,6 @@ struct selinux_audit_data { * comments in avc.c for it's meaning and usage. */ u32 auditdeny; - struct av_decision *avd; int result; }; -- cgit v1.2.3 From 3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Apr 2012 09:38:00 -0700 Subject: SELinux: do not allocate stack space for AVC data unless needed Instead of declaring the entire selinux_audit_data on the stack when we start an operation on declare it on the stack if we are going to use it. We know it's usefulness at the end of the security decision and can declare it there. Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds --- security/selinux/include/avc.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'security/selinux/include') diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 09c3eda12128..1931370233d7 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -46,19 +46,29 @@ struct avc_cache_stats { unsigned int frees; }; -struct selinux_audit_data { +/* + * We only need this data after we have decided to send an audit message. + */ +struct selinux_late_audit_data { u32 ssid; u32 tsid; u16 tclass; u32 requested; u32 audited; u32 denied; + int result; +}; + +/* + * We collect this at the beginning or during an selinux security operation + */ +struct selinux_audit_data { /* * auditdeny is a bit tricky and unintuitive. See the * comments in avc.c for it's meaning and usage. */ u32 auditdeny; - int result; + struct selinux_late_audit_data *slad; }; /* -- cgit v1.2.3