summaryrefslogtreecommitdiff
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorDaniel Jurgens <danielj@mellanox.com>2017-05-19 15:48:59 +0300
committerPaul Moore <paul@paul-moore.com>2017-05-23 12:28:12 -0400
commit409dcf31538ae6ae96b3a0a1d3211e668bfefe8b (patch)
treeee0e91fb5f99ad65bca29b34c4b6261f63405278 /security/selinux/hooks.c
parentab861dfca1652aa09b26b7aa2899feb29b33dfd9 (diff)
selinux: Add a cache for quicker retreival of PKey SIDs
It is likely that the SID for the same PKey will be requested many times. To reduce the time to modify QPs and process MADs use a cache to store PKey SIDs. This code is heavily based on the "netif" and "netport" concept originally developed by James Morris <jmorris@redhat.com> and Paul Moore <paul@paul-moore.com> (see security/selinux/netif.c and security/selinux/netport.c for more information) Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Acked-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 91ec46dd34d9..158f6a005246 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
#include "netif.h"
#include "netnode.h"
#include "netport.h"
+#include "ibpkey.h"
#include "xfrm.h"
#include "netlabel.h"
#include "audit.h"
@@ -174,8 +175,10 @@ static int selinux_netcache_avc_callback(u32 event)
static int selinux_lsm_notifier_avc_callback(u32 event)
{
- if (event == AVC_CALLBACK_RESET)
+ if (event == AVC_CALLBACK_RESET) {
+ sel_ib_pkey_flush();
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+ }
return 0;
}
@@ -6156,7 +6159,7 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
struct ib_security_struct *sec = ib_sec;
struct lsm_ibpkey_audit ibpkey;
- err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
+ err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
if (err)
return err;