From 409dcf31538ae6ae96b3a0a1d3211e668bfefe8b Mon Sep 17 00:00:00 2001 From: Daniel Jurgens Date: Fri, 19 May 2017 15:48:59 +0300 Subject: selinux: Add a cache for quicker retreival of PKey SIDs It is likely that the SID for the same PKey will be requested many times. To reduce the time to modify QPs and process MADs use a cache to store PKey SIDs. This code is heavily based on the "netif" and "netport" concept originally developed by James Morris and Paul Moore (see security/selinux/netif.c and security/selinux/netport.c for more information) Signed-off-by: Daniel Jurgens Acked-by: Doug Ledford Signed-off-by: Paul Moore --- security/selinux/hooks.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 91ec46dd34d9..158f6a005246 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -91,6 +91,7 @@ #include "netif.h" #include "netnode.h" #include "netport.h" +#include "ibpkey.h" #include "xfrm.h" #include "netlabel.h" #include "audit.h" @@ -174,8 +175,10 @@ static int selinux_netcache_avc_callback(u32 event) static int selinux_lsm_notifier_avc_callback(u32 event) { - if (event == AVC_CALLBACK_RESET) + if (event == AVC_CALLBACK_RESET) { + sel_ib_pkey_flush(); call_lsm_notifier(LSM_POLICY_CHANGE, NULL); + } return 0; } @@ -6156,7 +6159,7 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) struct ib_security_struct *sec = ib_sec; struct lsm_ibpkey_audit ibpkey; - err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid); + err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); if (err) return err; -- cgit v1.2.3