From patchwork Tue Apr 13 07:09:38 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 50043 X-Patchwork-Delegate: apw@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 281EDB7CF6 for ; Tue, 13 Apr 2010 17:10:38 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1O1aGW-0006Ch-PE; Tue, 13 Apr 2010 08:10:32 +0100 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1O1aGA-0005sa-17 for kernel-team@lists.ubuntu.com; Tue, 13 Apr 2010 08:10:10 +0100 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1O1aGA-0003Pa-0H; Tue, 13 Apr 2010 08:10:10 +0100 Received: from [96.225.230.137] (helo=canonical.com) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1O1aG9-0002bO-KO; Tue, 13 Apr 2010 08:10:09 +0100 From: john.johansen@canonical.com To: kernel-team@lists.ubuntu.com Subject: [PATCH 09/11] AppArmor: address performance regression of replaced profile Date: Tue, 13 Apr 2010 00:09:38 -0700 Message-Id: <1271142580-26555-10-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.7.0 In-Reply-To: <1271142580-26555-1-git-send-email-john.johansen@canonical.com> References: <1271142580-26555-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: John Johansen OriginalAuthor: John Johansen OriginalLocation: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparm$ commit: 5b2ed5984571ca59570240f505dc90810bb56842 BugLink: http://bugs.launchpad.net/bugs/549428 If a file has been opened under an old version of a profile (one that has been replaced) it is labeled with the original profile and the labeling is used to avoid performing revalidation (name lookup + permission check) on every file access. Replacement changes the profile pointer so that the labeling check fails and revalidation must be performed. This can cause a performance regression that is noticable on files that are accessed frequently. Make sure to get the newest version of the cached file profile before comparing to current confinement profile. Also, the permissions that were granted on open were not being stored in the file->cxt forcing a revalidation because the check to avoid revalidation also checks that the requested permissions are a subset of cached granted permissions. So Ensure that the granted permissions are stored. Signed-off-by: John Johansen Acked-by: Andy Whitcroft --- security/apparmor/lsm.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d1c1be0..56509ce 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -419,7 +419,7 @@ static int apparmor_dentry_open(struct file *file, const struct cred *cred) /* released by aa_free_file_context */ fcxt->profile = aa_get_profile(profile); /* todo cache actual allowed permissions */ - fcxt->allowed = 0; + fcxt->allowed = aa_map_file_to_perms(file); } return error; @@ -448,7 +448,7 @@ static int apparmor_file_permission(struct file *file, int mask) * TODO: cache profiles that have revalidated? */ struct aa_file_cxt *fcxt = file->f_security; - struct aa_profile *profile, *fprofile = fcxt->profile; + struct aa_profile *profile, *fprofile = aa_newest_version(fcxt->profile); int error = 0; if (!fprofile || !file->f_path.mnt ||