From 8aad38752e81d1d4de67e3d8e2524618ce7c9276 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 22 Mar 2006 00:09:13 -0800 Subject: [PATCH] selinux: Disable automatic labeling of new inodes when no policy is loaded This patch disables the automatic labeling of new inodes on disk when no policy is loaded. Discussion is here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296 In short, we're changing the behavior so that when no policy is loaded, SELinux does not label files at all. Currently it does add an 'unlabeled' label in this case, which we've found causes problems later. SELinux always maintains a safe internal label if there is none, so with this patch, we just stick with that and wait until a policy is loaded before adding a persistent label on disk. The effect is simply that if you boot with SELinux enabled but no policy loaded and create a file in that state, SELinux won't try to set a security extended attribute on the new inode on the disk. This is the only sane behavior for SELinux in that state, as it cannot determine the right label to assign in the absence of a policy. That state usually doesn't occur, but the rawhide installer seemed to be misbehaving temporarily so it happened to show up on a test install. Signed-off-by: Stephen Smalley Acked-by: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5b16196f2823..9ff51c668f06 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1957,7 +1957,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, inode_security_set_sid(inode, newsid); - if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) return -EOPNOTSUPP; if (name) { -- cgit v1.2.3 From cf01efd098597f7ee88a61e645afacba987c4531 Mon Sep 17 00:00:00 2001 From: James Morris Date: Wed, 22 Mar 2006 00:09:21 -0800 Subject: [PATCH] SELinux: cleanup stray variable in selinux_inode_init_security() Remove an unneded pointer variable in selinux_inode_init_security(). Signed-off-by: James Morris Acked-by: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9ff51c668f06..bdd0b32f0104 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1929,7 +1929,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, struct task_security_struct *tsec; struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; - struct inode_security_struct *isec; u32 newsid, clen; int rc; char *namep = NULL, *context; @@ -1937,7 +1936,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, tsec = current->security; dsec = dir->i_security; sbsec = dir->i_sb->s_security; - isec = inode->i_security; if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { newsid = tsec->create_sid; -- cgit v1.2.3 From 7cae7e26f245151b9ccad868bf2edf8c8048d307 Mon Sep 17 00:00:00 2001 From: James Morris Date: Wed, 22 Mar 2006 00:09:22 -0800 Subject: [PATCH] SELinux: add slab cache for inode security struct Add a slab cache for the SELinux inode security struct, one of which is allocated for every inode instantiated by the system. The memory savings are considerable. On 64-bit, instead of the size-128 cache, we have a slab object of 96 bytes, saving 32 bytes per object. After booting, I see about 4000 of these and then about 17,000 after a kernel compile. With this patch, we save around 530KB of kernel memory in the latter case. On 32-bit, the savings are about half of this. Signed-off-by: James Morris Acked-by: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/selinux/hooks.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bdd0b32f0104..ccaf988f3729 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -117,6 +117,8 @@ static struct security_operations *secondary_ops = NULL; static LIST_HEAD(superblock_security_head); static DEFINE_SPINLOCK(sb_security_lock); +static kmem_cache_t *sel_inode_cache; + /* Allocate and free functions for each kind of security blob. */ static int task_alloc_security(struct task_struct *task) @@ -146,10 +148,11 @@ static int inode_alloc_security(struct inode *inode) struct task_security_struct *tsec = current->security; struct inode_security_struct *isec; - isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL); + isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL); if (!isec) return -ENOMEM; + memset(isec, 0, sizeof(*isec)); init_MUTEX(&isec->sem); INIT_LIST_HEAD(&isec->list); isec->inode = inode; @@ -172,7 +175,7 @@ static void inode_free_security(struct inode *inode) spin_unlock(&sbsec->isec_lock); inode->i_security = NULL; - kfree(isec); + kmem_cache_free(sel_inode_cache, isec); } static int file_alloc_security(struct file *file) @@ -4406,6 +4409,9 @@ static __init int selinux_init(void) tsec = current->security; tsec->osid = tsec->sid = SECINITSID_KERNEL; + sel_inode_cache = kmem_cache_create("selinux_inode_security", + sizeof(struct inode_security_struct), + 0, SLAB_PANIC, NULL, NULL); avc_init(); original_ops = secondary_ops = security_ops; -- cgit v1.2.3