From d4cf970d0732628d514405c5a975024b9e205b0b Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 4 Apr 2012 15:01:42 -0400 Subject: [PATCH] SELinux: move common_audit_data to a noinline slow path function selinux_inode_has_perm is a hot path. Instead of declaring the common_audit_data on the stack move it to a noinline function only used in the rare case we need to send an audit message. Signed-off-by: Eric Paris --- security/selinux/hooks.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8417a6afaf30..b3bd8e1d268a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2658,11 +2658,29 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na return dentry_has_perm(cred, dentry, FILE__READ); } -static int selinux_inode_permission(struct inode *inode, int mask) +static noinline int audit_inode_permission(struct inode *inode, + u32 perms, u32 audited, u32 denied, + unsigned flags) { - const struct cred *cred = current_cred(); struct common_audit_data ad; struct selinux_audit_data sad = {0,}; + struct inode_security_struct *isec = inode->i_security; + int rc; + + COMMON_AUDIT_DATA_INIT(&ad, INODE); + ad.selinux_audit_data = &sad; + ad.u.inode = inode; + + rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, + audited, denied, &ad, flags); + if (rc) + return rc; + return 0; +} + +static int selinux_inode_permission(struct inode *inode, int mask) +{ + const struct cred *cred = current_cred(); u32 perms; bool from_access; unsigned flags = mask & MAY_NOT_BLOCK; @@ -2696,15 +2714,7 @@ static int selinux_inode_permission(struct inode *inode, int mask) if (likely(!audited)) return rc; - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.selinux_audit_data = &sad; - ad.u.inode = inode; - - if (from_access) - ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS; - - rc2 = slow_avc_audit(sid, isec->sid, isec->sclass, perms, - audited, denied, &ad, flags); + rc2 = audit_inode_permission(inode, perms, audited, denied, flags); if (rc2) return rc2; return rc; -- 2.34.1