[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2] xen/evtchn: optimize evtchn_security_struct
Because FLASK is the only implementation of the XSM hooks in Xen, some of the abstractions required to handle multiple XSM providers are redundant and only produce unneeded overhead. This patch reduces the memory overhead of enabling XSM on event channels by replacing the untyped ssid pointer from struct evtchn with the sid field that it would point to when FLASK is enabled. This avoids an additional heap allocation for every event channel, and on 64-bit systems, reduces the size of struct evtchn by 4 bytes. This also cleans up the unused selinux_checkreqprot declaration left from the Linux port. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- xen/include/xen/sched.h | 2 +- xen/xsm/flask/hooks.c | 37 ++++++------------------------------- xen/xsm/flask/include/objsec.h | 6 ------ 3 files changed, 7 insertions(+), 38 deletions(-) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 00f0eba..904acdc 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -101,7 +101,7 @@ struct evtchn u16 last_vcpu_id; u8 last_priority; #ifdef FLASK_ENABLE - void *ssid; + u32 sid; #endif }; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 96276ac..544c469 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -52,8 +52,7 @@ static u32 domain_target_sid(struct domain *src, struct domain *dst) static u32 evtchn_sid(const struct evtchn *chn) { - struct evtchn_security_struct *esec = chn->ssid; - return esec->sid; + return chn->sid; } static int domain_has_perm(struct domain *dom1, struct domain *dom2, @@ -174,7 +173,6 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn, u32 sid1, sid2, newsid; int rc; struct domain *d2; - struct evtchn_security_struct *esec; d2 = rcu_lock_domain_by_any_id(id2); if ( d2 == NULL ) @@ -182,7 +180,6 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn, sid1 = domain_sid(d1); sid2 = domain_target_sid(d1, d2); - esec = chn->ssid; rc = security_transition_sid(sid1, sid2, SECCLASS_EVENT, &newsid); if ( rc ) @@ -196,7 +193,7 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn, if ( rc ) goto out; - esec->sid = newsid; + chn->sid = newsid; out: rcu_unlock_domain(d2); @@ -208,7 +205,6 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, { u32 sid1, sid2, newsid, reverse_sid; int rc; - struct evtchn_security_struct *esec1; struct avc_audit_data ad; AVC_AUDIT_DATA_INIT(&ad, NONE); ad.sdom = d1; @@ -217,8 +213,6 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, sid1 = domain_sid(d1); sid2 = domain_target_sid(d1, d2); - esec1 = chn1->ssid; - rc = security_transition_sid(sid1, sid2, SECCLASS_EVENT, &newsid); if ( rc ) { @@ -244,17 +238,14 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, if ( rc ) return rc; - esec1->sid = newsid; + chn1->sid = newsid; return rc; } static void flask_evtchn_close_post(struct evtchn *chn) { - struct evtchn_security_struct *esec; - esec = chn->ssid; - - esec->sid = SECINITSID_UNLABELED; + chn->sid = SECINITSID_UNLABELED; } static int flask_evtchn_send(struct domain *d, struct evtchn *chn) @@ -289,33 +280,17 @@ static int flask_evtchn_reset(struct domain *d1, struct domain *d2) static int flask_alloc_security_evtchn(struct evtchn *chn) { - struct evtchn_security_struct *esec; - - esec = xzalloc(struct evtchn_security_struct); - if ( !esec ) - return -ENOMEM; - - esec->sid = SECINITSID_UNLABELED; - - chn->ssid = esec; + chn->sid = SECINITSID_UNLABELED; return 0; } static void flask_free_security_evtchn(struct evtchn *chn) { - struct evtchn_security_struct *esec; - if ( !chn ) return; - esec = chn->ssid; - - if ( !esec ) - return; - - chn->ssid = NULL; - xfree(esec); + chn->sid = SECINITSID_UNLABELED; } static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *chn) diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h index 6595dc3..b576a5d 100644 --- a/xen/xsm/flask/include/objsec.h +++ b/xen/xsm/flask/include/objsec.h @@ -23,10 +23,4 @@ struct domain_security_struct { u32 target_sid; /* SID for device model target domain */ }; -struct evtchn_security_struct { - u32 sid; /* current SID */ -}; - -extern unsigned int selinux_checkreqprot; - #endif /* _FLASK_OBJSEC_H_ */ -- 1.8.5.3 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |