Gitiles
Code Review Sign In
gerrit.openfyde.cn / github.com / raspberrypi / raspberrypi-kernel / 3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09^! / . / security / selinux / avc.c
commit3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09[log] [tgz]
authorEric Paris <eparis@redhat.com>Tue Apr 03 09:38:00 2012 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>Tue Apr 03 09:49:41 2012 -0700
tree20a7485417c8528d975ef4ff6e90467f63f67ab2
parentf8294f1144ad0630075918df4bf94075f5384604 [diff] [blame]
SELinux: do not allocate stack space for AVC data unless needed

Instead of declaring the entire selinux_audit_data on the stack when we
start an operation on declare it on the stack if we are going to use it.
We know it's usefulness at the end of the security decision and can declare
it there.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b5545a8..36c42bb 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c

@@ -436,9 +436,9 @@
 {
 	struct common_audit_data *ad = a;
 	audit_log_format(ab, "avc:  %s ",
-			 ad->selinux_audit_data->denied ? "denied" : "granted");
-	avc_dump_av(ab, ad->selinux_audit_data->tclass,
-			ad->selinux_audit_data->audited);
+			 ad->selinux_audit_data->slad->denied ? "denied" : "granted");
+	avc_dump_av(ab, ad->selinux_audit_data->slad->tclass,
+			ad->selinux_audit_data->slad->audited);
 	audit_log_format(ab, " for ");
 }
 
@@ -452,9 +452,9 @@
 {
 	struct common_audit_data *ad = a;
 	audit_log_format(ab, " ");
-	avc_dump_query(ab, ad->selinux_audit_data->ssid,
-			   ad->selinux_audit_data->tsid,
-			   ad->selinux_audit_data->tclass);
+	avc_dump_query(ab, ad->selinux_audit_data->slad->ssid,
+			   ad->selinux_audit_data->slad->tsid,
+			   ad->selinux_audit_data->slad->tclass);
 }
 
 /* This is the slow part of avc audit with big stack footprint */
@@ -465,6 +465,7 @@
 {
 	struct common_audit_data stack_data;
 	struct selinux_audit_data sad = {0,};
+	struct selinux_late_audit_data slad;
 
 	if (!a) {
 		a = &stack_data;
@@ -483,12 +484,14 @@
 	    (flags & MAY_NOT_BLOCK))
 		return -ECHILD;
 
-	a->selinux_audit_data->tclass = tclass;
-	a->selinux_audit_data->requested = requested;
-	a->selinux_audit_data->ssid = ssid;
-	a->selinux_audit_data->tsid = tsid;
-	a->selinux_audit_data->audited = audited;
-	a->selinux_audit_data->denied = denied;
+	slad.tclass = tclass;
+	slad.requested = requested;
+	slad.ssid = ssid;
+	slad.tsid = tsid;
+	slad.audited = audited;
+	slad.denied = denied;
+
+	a->selinux_audit_data->slad = &slad;
 	a->lsm_pre_audit = avc_audit_pre_callback;
 	a->lsm_post_audit = avc_audit_post_callback;
 	common_lsm_audit(a);