From f1c6381a6e337adcecf84be2a838bd9e610e2365 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 12 Feb 2009 14:50:54 -0500 Subject: SELinux: remove unused av.decided field It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept. This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark. Signed-off-by: Eric Paris Reviewed-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/avc.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) (limited to 'security/selinux/avc.c') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 2a84dec4adfe..326aa78bd421 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -381,30 +381,25 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class - * @requested: requested permissions, interpreted based on @tclass * * Look up an AVC entry that is valid for the - * @requested permissions between the SID pair * (@ssid, @tsid), interpreting the permissions * based on @tclass. If a valid AVC entry exists, * then this function return the avc_node. * Otherwise, this function returns NULL. */ -static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) +static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) { struct avc_node *node; avc_cache_stats_incr(lookups); node = avc_search_node(ssid, tsid, tclass); - if (node && ((node->ae.avd.decided & requested) == requested)) { + if (node) avc_cache_stats_incr(hits); - goto out; - } + else + avc_cache_stats_incr(misses); - node = NULL; - avc_cache_stats_incr(misses); -out: return node; } @@ -875,7 +870,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, rcu_read_lock(); - node = avc_lookup(ssid, tsid, tclass, requested); + node = avc_lookup(ssid, tsid, tclass); if (!node) { rcu_read_unlock(); -- cgit v1.2.3-59-g8ed1b