• Stephen Smalley's avatar
    SELinux: allow preemption between transition permission checks · 2c3c05db
    Stephen Smalley authored
    In security_get_user_sids, move the transition permission checks
    outside of the section holding the policy rdlock, and use the AVC to
    perform the checks, calling cond_resched after each one.  These
    changes should allow preemption between the individual checks and
    enable caching of the results.  It may however increase the overall
    time spent in the function in some cases, particularly in the cache
    miss case.
    
    The long term fix will be to take much of this logic to userspace by
    exporting additional state via selinuxfs, and ultimately deprecating
    and eliminating this interface from the kernel.
    Tested-by: default avatarIngo Molnar <mingo@elte.hu>
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    2c3c05db
avc.h 2.98 KB