diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2009-06-22 14:54:53 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-06-23 08:19:58 +1000 |
commit | 20dda18be9035c487c2e9534e4d18d2a1e1deade (patch) | |
tree | 5d50d2727e1495ccd8fa2a2340332f25c290670c | |
parent | 56f8c9bc410deb55f21698e6a0d59f559ae1d794 (diff) |
selinux: restore optimization to selinux_file_permission
Restore the optimization to skip revalidation in selinux_file_permission
if nothing has changed since the dentry_open checks, accidentally removed by
389fb800. Also remove redundant test from selinux_revalidate_file_permission.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/hooks.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 15c2a08a66f..d6f64783acd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2938,11 +2938,6 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) const struct cred *cred = current_cred(); struct inode *inode = file->f_path.dentry->d_inode; - if (!mask) { - /* No permission to check. Existence test. */ - return 0; - } - /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) mask |= MAY_APPEND; @@ -2953,10 +2948,20 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) static int selinux_file_permission(struct file *file, int mask) { + struct inode *inode = file->f_path.dentry->d_inode; + struct file_security_struct *fsec = file->f_security; + struct inode_security_struct *isec = inode->i_security; + u32 sid = current_sid(); + if (!mask) /* No permission to check. Existence test. */ return 0; + if (sid == fsec->sid && fsec->isid == isec->sid && + fsec->pseqno == avc_policy_seqno()) + /* No change since dentry_open check. */ + return 0; + return selinux_revalidate_file_permission(file, mask); } |