]> err.no Git - linux-2.6/commit
SELinux: allow preemption between transition permission checks
authorStephen Smalley <sds@tycho.nsa.gov>
Thu, 7 Jun 2007 19:34:10 +0000 (15:34 -0400)
committerJames Morris <jmorris@namei.org>
Thu, 12 Jul 2007 02:52:25 +0000 (22:52 -0400)
commit2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518
treebab75df9fafc435f3370a6d773d3284716347249
parent9dc9978084ea2a96b9f42752753d9e38a9f9d7b2
SELinux: allow preemption between transition permission checks

In security_get_user_sids, move the transition permission checks
outside of the section holding the policy rdlock, and use the AVC to
perform the checks, calling cond_resched after each one.  These
changes should allow preemption between the individual checks and
enable caching of the results.  It may however increase the overall
time spent in the function in some cases, particularly in the cache
miss case.

The long term fix will be to take much of this logic to userspace by
exporting additional state via selinuxfs, and ultimately deprecating
and eliminating this interface from the kernel.

Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/include/avc.h
security/selinux/ss/services.c