diff options
| author | Paul Moore <pmoore@redhat.com> | 2014-06-26 14:33:56 -0400 | 
|---|---|---|
| committer | Paul Moore <pmoore@redhat.com> | 2014-06-26 14:33:56 -0400 | 
| commit | 615e51fdda6f274e94b1e905fcaf6111e0d9aa20 (patch) | |
| tree | d0ce12f9f5e086c293a7255e3e712d2a42be02b9 /security/selinux/hooks.c | |
| parent | f31e799459659ae88c341aeac16a8a5efb1271d4 (diff) | |
selinux: reduce the number of calls to synchronize_net() when flushing caches
When flushing the AVC, such as during a policy load, the various
network caches are also flushed, with each making a call to
synchronize_net() which has shown to be expensive in some cases.
This patch consolidates the network cache flushes into a single AVC
callback which only calls synchronize_net() once for each AVC cache
flush.
Reported-by: Jaejyn Shin <flagon22bass@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 14 | 
1 files changed, 14 insertions, 0 deletions
| diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 336f0a04450e..39bc8c94b969 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)  	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());  } +static int selinux_netcache_avc_callback(u32 event) +{ +	if (event == AVC_CALLBACK_RESET) { +		sel_netif_flush(); +		sel_netnode_flush(); +		sel_netport_flush(); +		synchronize_net(); +	} +	return 0; +} +  /*   * initialise the security for the init task   */ @@ -5993,6 +6004,9 @@ static __init int selinux_init(void)  	if (register_security(&selinux_ops))  		panic("SELinux: Unable to register with kernel.\n"); +	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) +		panic("SELinux: Unable to register AVC netcache callback\n"); +  	if (selinux_enforcing)  		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");  	else | 
