Skip to content

Commit 6bc1968

Browse files
scottmayhewpcmoore
scottmayhew
authored and
pcmoore
committed
selinux: try to use preparsed sid before calling parse_sid()
Avoid unnecessary parsing of sids that have already been parsed via selinux_sb_eat_lsm_opts(). Signed-off-by: Scott Mayhew <smayhew@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
1 parent b8b87fd commit 6bc1968

1 file changed

Lines changed: 59 additions & 29 deletions

File tree

security/selinux/hooks.c

Lines changed: 59 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -675,36 +675,48 @@ static int selinux_set_mnt_opts(struct super_block *sb,
675675
*/
676676
if (opts) {
677677
if (opts->fscontext) {
678-
rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
679-
if (rc)
680-
goto out;
678+
if (opts->fscontext_sid == SECSID_NULL) {
679+
rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
680+
if (rc)
681+
goto out;
682+
} else
683+
fscontext_sid = opts->fscontext_sid;
681684
if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
682685
fscontext_sid))
683686
goto out_double_mount;
684687
sbsec->flags |= FSCONTEXT_MNT;
685688
}
686689
if (opts->context) {
687-
rc = parse_sid(sb, opts->context, &context_sid);
688-
if (rc)
689-
goto out;
690+
if (opts->context_sid == SECSID_NULL) {
691+
rc = parse_sid(sb, opts->context, &context_sid);
692+
if (rc)
693+
goto out;
694+
} else
695+
context_sid = opts->context_sid;
690696
if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
691697
context_sid))
692698
goto out_double_mount;
693699
sbsec->flags |= CONTEXT_MNT;
694700
}
695701
if (opts->rootcontext) {
696-
rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
697-
if (rc)
698-
goto out;
702+
if (opts->rootcontext_sid == SECSID_NULL) {
703+
rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
704+
if (rc)
705+
goto out;
706+
} else
707+
rootcontext_sid = opts->rootcontext_sid;
699708
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
700709
rootcontext_sid))
701710
goto out_double_mount;
702711
sbsec->flags |= ROOTCONTEXT_MNT;
703712
}
704713
if (opts->defcontext) {
705-
rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
706-
if (rc)
707-
goto out;
714+
if (opts->defcontext_sid == SECSID_NULL) {
715+
rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
716+
if (rc)
717+
goto out;
718+
} else
719+
defcontext_sid = opts->defcontext_sid;
708720
if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
709721
defcontext_sid))
710722
goto out_double_mount;
@@ -2709,7 +2721,6 @@ static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
27092721
{
27102722
struct selinux_mnt_opts *opts = mnt_opts;
27112723
struct superblock_security_struct *sbsec = selinux_superblock(sb);
2712-
u32 sid;
27132724
int rc;
27142725

27152726
if (!(sbsec->flags & SE_SBINITIALIZED))
@@ -2719,33 +2730,48 @@ static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
27192730
return 0;
27202731

27212732
if (opts->fscontext) {
2722-
rc = parse_sid(sb, opts->fscontext, &sid);
2723-
if (rc)
2724-
return rc;
2725-
if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2733+
if (opts->fscontext_sid == SECSID_NULL) {
2734+
rc = parse_sid(sb, opts->fscontext,
2735+
&opts->fscontext_sid);
2736+
if (rc)
2737+
return rc;
2738+
}
2739+
if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2740+
opts->fscontext_sid))
27262741
goto out_bad_option;
27272742
}
27282743
if (opts->context) {
2729-
rc = parse_sid(sb, opts->context, &sid);
2730-
if (rc)
2731-
return rc;
2732-
if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2744+
if (opts->context_sid == SECSID_NULL) {
2745+
rc = parse_sid(sb, opts->context, &opts->context_sid);
2746+
if (rc)
2747+
return rc;
2748+
}
2749+
if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2750+
opts->context_sid))
27332751
goto out_bad_option;
27342752
}
27352753
if (opts->rootcontext) {
27362754
struct inode_security_struct *root_isec;
27372755
root_isec = backing_inode_security(sb->s_root);
2738-
rc = parse_sid(sb, opts->rootcontext, &sid);
2739-
if (rc)
2740-
return rc;
2741-
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2756+
if (opts->rootcontext_sid == SECSID_NULL) {
2757+
rc = parse_sid(sb, opts->rootcontext,
2758+
&opts->rootcontext_sid);
2759+
if (rc)
2760+
return rc;
2761+
}
2762+
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2763+
opts->rootcontext_sid))
27422764
goto out_bad_option;
27432765
}
27442766
if (opts->defcontext) {
2745-
rc = parse_sid(sb, opts->defcontext, &sid);
2746-
if (rc)
2747-
return rc;
2748-
if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2767+
if (opts->defcontext_sid == SECSID_NULL) {
2768+
rc = parse_sid(sb, opts->defcontext,
2769+
&opts->defcontext_sid);
2770+
if (rc)
2771+
return rc;
2772+
}
2773+
if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2774+
opts->defcontext_sid))
27492775
goto out_bad_option;
27502776
}
27512777
return 0;
@@ -2843,6 +2869,10 @@ static int selinux_fs_context_dup(struct fs_context *fc,
28432869
if (!opts->defcontext)
28442870
return -ENOMEM;
28452871
}
2872+
opts->fscontext_sid = src->fscontext_sid;
2873+
opts->context_sid = src->context_sid;
2874+
opts->rootcontext_sid = src->rootcontext_sid;
2875+
opts->defcontext_sid = src->defcontext_sid;
28462876
return 0;
28472877
}
28482878

0 commit comments

Comments
 (0)