From: Stephen Smalley Date: Mon, 22 Jun 2009 18:54:53 +0000 (-0400) Subject: selinux: restore optimization to selinux_file_permission X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=20dda18be9035c487c2e9534e4d18d2a1e1deade;p=openwrt%2Fstaging%2Fblogic.git selinux: restore optimization to selinux_file_permission Restore the optimization to skip revalidation in selinux_file_permission if nothing has changed since the dentry_open checks, accidentally removed by 389fb800. Also remove redundant test from selinux_revalidate_file_permission. Signed-off-by: Stephen Smalley Reviewed-by: Paul Moore Acked-by: Eric Paris Signed-off-by: James Morris --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 15c2a08a66f1..d6f64783acd1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2938,11 +2938,6 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) const struct cred *cred = current_cred(); struct inode *inode = file->f_path.dentry->d_inode; - if (!mask) { - /* No permission to check. Existence test. */ - return 0; - } - /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) mask |= MAY_APPEND; @@ -2953,10 +2948,20 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) static int selinux_file_permission(struct file *file, int mask) { + struct inode *inode = file->f_path.dentry->d_inode; + struct file_security_struct *fsec = file->f_security; + struct inode_security_struct *isec = inode->i_security; + u32 sid = current_sid(); + if (!mask) /* No permission to check. Existence test. */ return 0; + if (sid == fsec->sid && fsec->isid == isec->sid && + fsec->pseqno == avc_policy_seqno()) + /* No change since dentry_open check. */ + return 0; + return selinux_revalidate_file_permission(file, mask); }