Weekly Edition
Return to the Kernel page
| ||||||||||||||||
lsm stacking through chaining
Hi,
Attached is a new implementation of the lsm stacking through chaining.
This one is a little more intricate than the last, in that it is enabled
when the stacker module is compiled in, but can otherwise be compiled out.
The attached lmbench numbers show that the fedora setup of selinux +
capabilities compiled in (and no stacker module) does not slow down at
least this benchmark. Using the same modules but through stacker fares
a bit worse.
Attached are the following files:
lsm-chain.patch: implements the CONFIG-dependent use of hlist_heads for
kernel object security structs.
selinux-stack.patch: patches selinux to make use of the new infrastructure.
seclvl-stack.patch: patches seclvl to make use of the new infrastructure.
nostack: lmbench output for an unpatched 2.6.10-rc1-bk12 kernel with
selinux and capabilities compiled in.
newchain-nostack: lmbench output for a patched 2.6.10-rc1-bk20 kernel
with selinux and capabilities compiled in, and
CONFIG_SECURITY_STACKER=n
newchain-stacked: lmbench output for a patched 2.6.10-rc1-bk20 kernel
with selinux and capabilities compiled in, and
CONFIG_SECURITY_STACKER=y
newchain-multstack: lmbench output for a patched 2.6.10-rc1-bk20 kernel
with selinux and capabilities compiled in, seclvl and bsdjail
loaded (bsdjail patch is not appended) and the lmbench process
jailed.
Note that the kernel versions are slightly different between patched
and unpatched. If this is worrisome, I can try to get a new set of
numbers.
-serge
Index: linux-2.6.10-rc1-bk19-newchain/fs/exec.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/fs/exec.c 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/fs/exec.c 2004-11-09 21:33:51.000000000
-0600
@@ -1109,6 +1109,7 @@
bprm->file = file;
bprm->filename = filename;
bprm->interp = filename;
+ INIT_SECURITY(bprm->security);
bprm->mm = mm_alloc();
if (!bprm->mm)
goto out_file;
@@ -1164,8 +1165,7 @@
__free_page(page);
}
- if (bprm->security)
- security_bprm_free(bprm);
+ security_bprm_free(bprm);
out_mm:
if (bprm->mm)
Index: linux-2.6.10-rc1-bk19-newchain/fs/inode.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/fs/inode.c 2004-11-09 21:31:48.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/fs/inode.c 2004-11-09 21:34:49.000000000
-0600
@@ -134,7 +134,7 @@
inode->i_bdev = NULL;
inode->i_cdev = NULL;
inode->i_rdev = 0;
- inode->i_security = NULL;
+ INIT_SECURITY(inode->i_security);
inode->dirtied_when = 0;
if (security_inode_alloc(inode)) {
if (inode->i_sb->s_op->destroy_inode)
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/binfmts.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/binfmts.h 2004-10-18 16:54:30.000000000
-0500
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/binfmts.h 2004-11-10 04:09:57.000000000
-0600
@@ -29,7 +29,7 @@
struct file * file;
int e_uid, e_gid;
kernel_cap_t cap_inheritable, cap_permitted, cap_effective;
- void *security;
+ security_t security;
int argc, envc;
char * filename; /* Name of binary as seen by procps */
char * interp; /* Name of the binary really executed. Most
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/fs.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/fs.h 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/fs.h 2004-11-09 21:36:07.000000000
-0600
@@ -479,7 +479,7 @@
unsigned int i_flags;
atomic_t i_writecount;
- void *i_security;
+ security_t i_security;
union {
void *generic_ip;
} u;
@@ -553,7 +553,7 @@
rwlock_t lock; /* protects pid, uid, euid fields */
int pid; /* pid or -pgrp where SIGIO should be sent */
uid_t uid, euid; /* uid/euid of process setting the owner */
- void *security;
+ security_t security;
int signum; /* posix.1b rt signal to be delivered on IO */
};
@@ -589,7 +589,7 @@
struct file_ra_state f_ra;
unsigned long f_version;
- void *f_security;
+ security_t f_security;
/* needed for tty driver, and maybe others */
void *private_data;
@@ -773,7 +773,7 @@
int s_syncing;
int s_need_sync_fs;
atomic_t s_active;
- void *s_security;
+ security_t s_security;
struct xattr_handler **s_xattr;
struct list_head s_dirty; /* dirty inodes */
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/ipc.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/ipc.h 2004-10-18 16:53:05.000000000
-0500
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/ipc.h 2004-11-09 21:36:15.000000000
-0600
@@ -65,7 +65,7 @@
gid_t cgid;
mode_t mode;
unsigned long seq;
- void *security;
+ security_t security;
};
#endif /* __KERNEL__ */
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/msg.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/msg.h 2004-10-18 16:54:31.000000000
-0500
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/msg.h 2004-11-09 21:36:31.000000000
-0600
@@ -70,7 +70,7 @@
long m_type;
int m_ts; /* message text size */
struct msg_msgseg* next;
- void *security;
+ security_t security;
/* the actual message follows immediately */
};
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/sched.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/sched.h 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/sched.h 2004-11-09 21:36:42.000000000
-0600
@@ -627,7 +627,7 @@
void *notifier_data;
sigset_t *notifier_mask;
- void *security;
+ security_t security;
struct audit_context *audit_context;
/* Thread group tracking */
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/security.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/security.h 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/security.h 2004-11-10 19:58:20.000000000
-0600
@@ -33,6 +33,86 @@
struct ctl_table;
+#ifdef CONFIG_SECURITY_STACKER
+/*
+ * structure to be embedded at top of each LSM's security
+ * objects.
+ */
+struct lsm_obj_list {
+ struct hlist_node list;
+ int lsm_id;
+};
+#define security_info struct lsm_obj_list lsm_obj
+#else
+#define security_info
+#endif
+
+/*
+ * Define the kernel object security field differently based
+ * on whether we want to use stacker or not.
+ * Then offer functions to get, set, and delete such values.
+ *
+ * USAGE:
+ * struct my_sec_struct_t {
+ * struct lsm_obj_list lsm_obj;
+ * void rest_of_my_data;
+ * };
+ * security_get_value(&inode->i_security, MY_LSM_ID);
+ * returns a pointer to my_sec_struct->lsm_obj
+ * security_set_value(&inode->i_security, MY_LSM_ID,
+ * &my_sec_struct->lsm_obj);
+ * sets inode->i_security = my_sec_struct->lsm_obj
+ * returns a pointer to my_sec_struct->lsm_obj, or NULL
+ * security_del_value(&inode->i_security, MY_LSM_ID);
+ * returns a pointer to my_sec_struct->lsm_obj, or NULL
+ */
+#ifdef CONFIG_SECURITY_STACKER
+extern rwlock_t lsm_obj_rwlock;
+extern struct lsm_obj_list *security_getv(struct hlist_head *head, int
lsm_id);
+extern struct lsm_obj_list *security_setv(struct hlist_head *head, int
lsm_id,
+ struct lsm_obj_list *obj_node);
+extern void security_setv_nocheck(struct hlist_head *head, int lsm_id,
+ struct lsm_obj_list *obj_node);
+extern struct lsm_obj_list *security_delv(struct hlist_head *head, int
lsm_id);
+
+#define security_get_value(obj, id, dest) { \
+ struct lsm_obj_list *v = security_getv(&(obj), id); \
+ dest = v ? hlist_entry(v, typeof(*dest), lsm_obj) : NULL; \
+}
+
+#define security_set_value(obj, id, newv, oldv) { \
+ struct lsm_obj_list *v = security_setv(&(obj),id,&(newv)->lsm_obj); \
+ oldv = v ? hlist_entry(v, typeof(*oldv), lsm_obj) : NULL; \
+}
+
+#define security_set_value_nocheck(obj, id, newv) \
+ security_setv_nocheck(&(obj), id, &(newv)->lsm_obj)
+
+#define security_del_value(obj, id, oldv) { \
+ struct lsm_obj_list *v = security_delv(&(obj), id); \
+ oldv = v ? hlist_entry(v, typeof(*oldv), lsm_obj) : NULL; \
+}
+
+#else
+
+#define security_get_value(obj, id, dest) { \
+ (dest) = (obj); \
+}
+
+#define security_set_value(obj, id, newv, oldv) { \
+ (oldv) = (obj); (obj) = (newv); \
+}
+
+#define security_set_value_nocheck(obj, id, newv) { \
+ (obj) = (newv); \
+}
+
+#define security_del_value(obj, id, oldv) { \
+ (oldv) = (obj); (obj) = NULL; \
+}
+
+#endif
+
/*
* These functions are in security/capability.c and are used
* as the default capabilities functions
Index: linux-2.6.10-rc1-bk19-newchain/include/linux/types.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/linux/types.h 2004-11-09 21:31:48.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/include/linux/types.h 2004-11-10 04:19:25.000000000
-0600
@@ -167,4 +167,12 @@
char f_fpack[6];
};
+#ifndef CONFIG_SECURITY_STACKER
+#define security_t void *
+#define INIT_SECURITY(x) x = NULL
+#else
+#define security_t struct hlist_head
+#define INIT_SECURITY(x) INIT_HLIST_HEAD(&x)
+#endif
+
#endif /* _LINUX_TYPES_H */
Index: linux-2.6.10-rc1-bk19-newchain/include/net/sock.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/include/net/sock.h 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/include/net/sock.h 2004-11-09 21:51:34.000000000
-0600
@@ -254,7 +254,7 @@
__u32 sk_sndmsg_off;
struct sk_buff *sk_send_head;
int sk_write_pending;
- void *sk_security;
+ security_t sk_security;
__u8 sk_queue_shrunk;
/* three bytes hole, try to pack */
void (*sk_state_change)(struct sock *sk);
Index: linux-2.6.10-rc1-bk19-newchain/ipc/msg.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/ipc/msg.c 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/ipc/msg.c 2004-11-09 21:51:51.000000000
-0600
@@ -98,7 +98,7 @@
msq->q_perm.mode = (msgflg & S_IRWXUGO);
msq->q_perm.key = key;
- msq->q_perm.security = NULL;
+ INIT_SECURITY(msq->q_perm.security);
retval = security_msg_queue_alloc(msq);
if (retval) {
ipc_rcu_putref(msq);
Index: linux-2.6.10-rc1-bk19-newchain/ipc/msgutil.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/ipc/msgutil.c 2004-10-18 16:54:07.000000000
-0500
+++ linux-2.6.10-rc1-bk19-newchain/ipc/msgutil.c 2004-11-09 21:53:30.000000000
-0600
@@ -41,7 +41,7 @@
return ERR_PTR(-ENOMEM);
msg->next = NULL;
- msg->security = NULL;
+ INIT_SECURITY(msg->security);
if (copy_from_user(msg + 1, src, alen)) {
err = -EFAULT;
Index: linux-2.6.10-rc1-bk19-newchain/ipc/sem.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/ipc/sem.c 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/ipc/sem.c 2004-11-09 21:53:26.000000000
-0600
@@ -177,7 +177,7 @@
sma->sem_perm.mode = (semflg & S_IRWXUGO);
sma->sem_perm.key = key;
- sma->sem_perm.security = NULL;
+ INIT_SECURITY(sma->sem_perm.security);
retval = security_sem_alloc(sma);
if (retval) {
ipc_rcu_putref(sma);
Index: linux-2.6.10-rc1-bk19-newchain/ipc/shm.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/ipc/shm.c 2004-11-09 21:31:48.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/ipc/shm.c 2004-11-09 21:53:46.000000000
-0600
@@ -196,7 +196,7 @@
shp->shm_flags = (shmflg & S_IRWXUGO);
shp->mlock_user = NULL;
- shp->shm_perm.security = NULL;
+ INIT_SECURITY(shp->shm_perm.security);
error = security_shm_alloc(shp);
if (error) {
ipc_rcu_putref(shp);
Index: linux-2.6.10-rc1-bk19-newchain/kernel/fork.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/kernel/fork.c 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/kernel/fork.c 2004-11-09 21:53:56.000000000
-0600
@@ -871,7 +871,7 @@
p->utime = p->stime = 0;
p->lock_depth = -1; /* -1 = no lock */
do_posix_clock_monotonic_gettime(&p->start_time);
- p->security = NULL;
+ INIT_SECURITY(p->security);
p->io_context = NULL;
p->io_wait = NULL;
p->audit_context = NULL;
Index: linux-2.6.10-rc1-bk19-newchain/security/dummy.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/dummy.c 2004-11-09 21:31:54.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/security/dummy.c 2004-11-10 03:41:38.000000000
-0600
@@ -1036,3 +1036,5 @@
#endif /* CONFIG_SECURITY_NETWORK */
}
+EXPORT_SYMBOL_GPL(security_fixup_ops);
+
Index: linux-2.6.10-rc1-bk19-newchain/security/security.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/security.c 2004-11-09 21:31:48.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/security/security.c 2004-11-10 20:08:41.835358328
-0600
@@ -20,6 +20,96 @@
#define SECURITY_FRAMEWORK_VERSION "1.0.0"
+#ifdef CONFIG_SECURITY_STACKER
+rwlock_t lsm_obj_rwlock = RW_LOCK_UNLOCKED;
+
+struct lsm_obj_list *
+security_getv(struct hlist_head *head, int lsm_id)
+{
+ unsigned long flags;
+ struct lsm_obj_list *e, *ret = NULL;
+ struct hlist_node *tmp;
+
+ read_lock_irqsave(&lsm_obj_rwlock, flags);
+ hlist_for_each_entry(e, tmp, head, list) {
+ if (e->lsm_id == lsm_id) {
+ ret = e;
+ goto out;
+ }
+ }
+
+out:
+ read_unlock_irqrestore(&lsm_obj_rwlock, flags);
+ return ret;
+}
+
+void
+security_setv_nocheck(struct hlist_head *head, int lsm_id,
+ struct lsm_obj_list *obj_node)
+{
+ unsigned long flags;
+
+ write_lock_irqsave(&lsm_obj_rwlock, flags);
+
+ INIT_HLIST_NODE(&obj_node->list);
+ obj_node->lsm_id = lsm_id;
+ hlist_add_head(&obj_node->list, head);
+
+ write_unlock_irqrestore(&lsm_obj_rwlock, flags);
+}
+
+struct lsm_obj_list *
+security_setv(struct hlist_head *head, int lsm_id,
+ struct lsm_obj_list *obj_node)
+{
+ unsigned long flags;
+ struct lsm_obj_list *e, *ret = NULL;
+ struct hlist_node *tmp;
+
+ write_lock_irqsave(&lsm_obj_rwlock, flags);
+ hlist_for_each_entry(e, tmp, head, list) {
+ if (e->lsm_id == lsm_id) {
+ ret = e;
+ hlist_del(&e->list);
+ break;
+ }
+ }
+
+ INIT_HLIST_NODE(&obj_node->list);
+ obj_node->lsm_id = lsm_id;
+ hlist_add_head(&obj_node->list, head);
+
+ write_unlock_irqrestore(&lsm_obj_rwlock, flags);
+ return ret;
+}
+
+struct lsm_obj_list *
+security_delv(struct hlist_head *head, int lsm_id)
+{
+ unsigned long flags;
+ struct lsm_obj_list *e, *ret = NULL;
+ struct hlist_node *tmp;
+
+ write_lock_irqsave(&lsm_obj_rwlock, flags);
+ hlist_for_each_entry(e, tmp, head, list) {
+ if (e->lsm_id == lsm_id) {
+ ret = e;
+ hlist_del(&e->list);
+ goto out;
+ }
+ }
+
+out:
+ write_unlock_irqrestore(&lsm_obj_rwlock, flags);
+ return ret;
+}
+
+EXPORT_SYMBOL_GPL(security_getv);
+EXPORT_SYMBOL_GPL(security_setv);
+EXPORT_SYMBOL_GPL(security_setv_nocheck);
+EXPORT_SYMBOL_GPL(security_delv);
+#endif
+
/* things that live in dummy.c */
extern struct security_operations dummy_security_ops;
extern void security_fixup_ops(struct security_operations *ops);
Index: linux-2.6.10-rc1-bk19-newchain/security/selinux/hooks.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/selinux/hooks.c 2004-11-10 04:22:40.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/security/selinux/hooks.c 2004-11-10 04:41:22.000000000
-0600
@@ -79,6 +79,11 @@
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0;
+static int secondary;
+
+static struct security_operations *secondary_ops;
+static struct security_operations nul_security_ops;
+
static int __init enforcing_setup(char *str)
{
selinux_enforcing = simple_strtol(str,NULL,0);
@@ -98,15 +103,6 @@
__setup("selinux=", selinux_enabled_setup);
#endif
-/* Original (dummy) security module. */
-static struct security_operations *original_ops = NULL;
-
-/* Minimal support for a secondary security module,
- just to allow the use of the dummy or capability modules.
- The owlsm module can alternatively be used as a secondary
- module as long as CONFIG_OWLSM_FD is not enabled. */
-static struct security_operations *secondary_ops = NULL;
-
/* Lists of inode and superblock security structures initialized
before the policy was loaded. */
static LIST_HEAD(superblock_security_head);
@@ -123,30 +119,29 @@
return -ENOMEM;
memset(tsec, 0, sizeof(struct task_security_struct));
- tsec->magic = SELINUX_MAGIC;
tsec->task = task;
tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
- task->security = tsec;
+ security_set_value_nocheck(task->security, SELINUX_LSM_ID,
+ tsec);
return 0;
}
static void task_free_security(struct task_struct *task)
{
- struct task_security_struct *tsec = task->security;
-
- if (!tsec || tsec->magic != SELINUX_MAGIC)
- return;
+ struct task_security_struct *tsec;
+
+ security_del_value(task->security, SELINUX_LSM_ID, tsec);
- task->security = NULL;
kfree(tsec);
}
static int inode_alloc_security(struct inode *inode)
{
- struct task_security_struct *tsec = current->security;
+ struct task_security_struct *tsec;
struct inode_security_struct *isec;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
if (!isec)
return -ENOMEM;
@@ -154,68 +149,69 @@
memset(isec, 0, sizeof(struct inode_security_struct));
init_MUTEX(&isec->sem);
INIT_LIST_HEAD(&isec->list);
- isec->magic = SELINUX_MAGIC;
isec->inode = inode;
isec->sid = SECINITSID_UNLABELED;
isec->sclass = SECCLASS_FILE;
- if (tsec && tsec->magic == SELINUX_MAGIC)
+ if (tsec)
isec->task_sid = tsec->sid;
else
isec->task_sid = SECINITSID_UNLABELED;
- inode->i_security = isec;
+ security_set_value_nocheck(inode->i_security, SELINUX_LSM_ID,
+ isec);
return 0;
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec;
+ struct superblock_security_struct *sbsec;
- if (!isec || isec->magic != SELINUX_MAGIC)
+ security_del_value(inode->i_security, SELINUX_LSM_ID, isec);
+ if (!isec)
return;
+ security_get_value(inode->i_sb->s_security, SELINUX_LSM_ID, sbsec);
+
spin_lock(&sbsec->isec_lock);
if (!list_empty(&isec->list))
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
- inode->i_security = NULL;
kfree(isec);
}
static int file_alloc_security(struct file *file)
{
- struct task_security_struct *tsec = current->security;
+ struct task_security_struct *tsec;
struct file_security_struct *fsec;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
if (!fsec)
return -ENOMEM;
memset(fsec, 0, sizeof(struct file_security_struct));
- fsec->magic = SELINUX_MAGIC;
fsec->file = file;
- if (tsec && tsec->magic == SELINUX_MAGIC) {
+ if (tsec) {
fsec->sid = tsec->sid;
fsec->fown_sid = tsec->sid;
} else {
fsec->sid = SECINITSID_UNLABELED;
fsec->fown_sid = SECINITSID_UNLABELED;
}
- file->f_security = fsec;
+ security_set_value_nocheck(file->f_security, SELINUX_LSM_ID,
+ fsec);
return 0;
}
static void file_free_security(struct file *file)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec;
- if (!fsec || fsec->magic != SELINUX_MAGIC)
- return;
+ security_del_value(file->f_security, SELINUX_LSM_ID, fsec);
- file->f_security = NULL;
kfree(fsec);
}
@@ -232,20 +228,21 @@
INIT_LIST_HEAD(&sbsec->list);
INIT_LIST_HEAD(&sbsec->isec_head);
spin_lock_init(&sbsec->isec_lock);
- sbsec->magic = SELINUX_MAGIC;
sbsec->sb = sb;
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
- sb->s_security = sbsec;
+ security_set_value_nocheck(sb->s_security, SELINUX_LSM_ID,
+ sbsec);
return 0;
}
static void superblock_free_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec;
- if (!sbsec || sbsec->magic != SELINUX_MAGIC)
+ security_del_value(sb->s_security, SELINUX_LSM_ID, sbsec);
+ if (!sbsec)
return;
spin_lock(&sb_security_lock);
@@ -253,7 +250,6 @@
list_del_init(&sbsec->list);
spin_unlock(&sb_security_lock);
- sb->s_security = NULL;
kfree(sbsec);
}
@@ -270,22 +266,23 @@
return -ENOMEM;
memset(ssec, 0, sizeof(*ssec));
- ssec->magic = SELINUX_MAGIC;
ssec->sk = sk;
ssec->peer_sid = SECINITSID_UNLABELED;
- sk->sk_security = ssec;
+ security_set_value_nocheck(sk->sk_security, SELINUX_LSM_ID,
+ ssec);
return 0;
}
static void sk_free_security(struct sock *sk)
{
- struct sk_security_struct *ssec = sk->sk_security;
+ struct sk_security_struct *ssec;
+
+ security_del_value(sk->sk_security, SELINUX_LSM_ID, ssec);
- if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
+ if (sk->sk_family != PF_UNIX)
return;
- sk->sk_security = NULL;
kfree(ssec);
}
#endif /* CONFIG_SECURITY_NETWORK */
@@ -332,8 +329,11 @@
const char *name;
u32 sid;
int alloc = 0, rc = 0, seen = 0;
- struct task_security_struct *tsec = current->security;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct task_security_struct *tsec;
+ struct superblock_security_struct *sbsec;
+
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(sb->s_security, SELINUX_LSM_ID, sbsec);
if (!data)
goto out;
@@ -499,11 +499,13 @@
static int superblock_doinit(struct super_block *sb, void *data)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec;
struct dentry *root = sb->s_root;
struct inode *inode = root->d_inode;
int rc = 0;
+ security_get_value(sb->s_security, SELINUX_LSM_ID, sbsec);
+
down(&sbsec->sem);
if (sbsec->initialized)
goto out;
@@ -722,7 +724,7 @@
static int inode_doinit_with_dentry(struct inode *inode, struct dentry
*opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec;
u32 sid;
struct dentry *dentry;
#define INITCONTEXTLEN 255
@@ -731,6 +733,8 @@
int rc = 0;
int hold_sem = 0;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
+
if (isec->initialized)
goto out;
@@ -739,7 +743,7 @@
if (isec->initialized)
goto out;
- sbsec = inode->i_sb->s_security;
+ security_get_value(inode->i_sb->s_security, SELINUX_LSM_ID, sbsec);
if (!sbsec->initialized) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -921,8 +925,8 @@
{
struct task_security_struct *tsec1, *tsec2;
- tsec1 = tsk1->security;
- tsec2 = tsk2->security;
+ security_get_value(tsk1->security, SELINUX_LSM_ID, tsec1);
+ security_get_value(tsk2->security, SELINUX_LSM_ID, tsec2);
return avc_has_perm(tsec1->sid, tsec2->sid,
SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
}
@@ -934,7 +938,7 @@
struct task_security_struct *tsec;
struct avc_audit_data ad;
- tsec = tsk->security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
AVC_AUDIT_DATA_INIT(&ad,CAP);
ad.tsk = tsk;
@@ -950,7 +954,7 @@
{
struct task_security_struct *tsec;
- tsec = tsk->security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
SECCLASS_SYSTEM, perms, NULL, NULL);
@@ -971,8 +975,8 @@
struct inode_security_struct *isec;
struct avc_audit_data ad;
- tsec = tsk->security;
- isec = inode->i_security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
if (!adp) {
adp = &ad;
@@ -1012,14 +1016,17 @@
struct file *file,
u32 av)
{
- struct task_security_struct *tsec = tsk->security;
- struct file_security_struct *fsec = file->f_security;
+ struct task_security_struct *tsec;
+ struct file_security_struct *fsec;
struct vfsmount *mnt = file->f_vfsmnt;
struct dentry *dentry = file->f_dentry;
struct inode *inode = dentry->d_inode;
struct avc_audit_data ad;
int rc;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
+ security_get_value(file->f_security, SELINUX_LSM_ID, fsec);
+
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.mnt = mnt;
ad.u.fs.dentry = dentry;
@@ -1052,9 +1059,9 @@
struct avc_audit_data ad;
int rc;
- tsec = current->security;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(dir->i_security, SELINUX_LSM_ID, dsec);
+ security_get_value(dir->i_sb->s_security, SELINUX_LSM_ID, sbsec);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.dentry = dentry;
@@ -1099,9 +1106,9 @@
u32 av;
int rc;
- tsec = current->security;
- dsec = dir->i_security;
- isec = dentry->d_inode->i_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(dir->i_security, SELINUX_LSM_ID, dsec);
+ security_get_value(dentry->d_inode->i_security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.dentry = dentry;
@@ -1145,11 +1152,11 @@
int old_is_dir, new_is_dir;
int rc;
- tsec = current->security;
- old_dsec = old_dir->i_security;
- old_isec = old_dentry->d_inode->i_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(old_dir->i_security, SELINUX_LSM_ID, old_dsec);
+ security_get_value(old_dentry->d_inode->i_security, SELINUX_LSM_ID,
old_isec);
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
- new_dsec = new_dir->i_security;
+ security_get_value(new_dir->i_security, SELINUX_LSM_ID, new_dsec);
AVC_AUDIT_DATA_INIT(&ad, FS);
@@ -1183,7 +1190,7 @@
if (rc)
return rc;
if (new_dentry->d_inode) {
- new_isec = new_dentry->d_inode->i_security;
+ security_get_value(new_dentry->d_inode->i_security, SELINUX_LSM_ID,
new_isec);
new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
rc = avc_has_perm(tsec->sid, new_isec->sid,
new_isec->sclass,
@@ -1205,8 +1212,8 @@
struct task_security_struct *tsec;
struct superblock_security_struct *sbsec;
- tsec = tsk->security;
- sbsec = sb->s_security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
+ security_get_value(sb->s_security, SELINUX_LSM_ID, sbsec);
return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
perms, NULL, ad);
}
@@ -1259,8 +1266,11 @@
/* Set an inode's SID to a specified value. */
int inode_security_set_sid(struct inode *inode, u32 sid)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec;
+ struct superblock_security_struct *sbsec;
+
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
+ security_get_value(inode->i_sb->s_security, SELINUX_LSM_ID, sbsec);
if (!sbsec->initialized) {
/* Defer initialization to selinux_complete_init. */
@@ -1289,9 +1299,9 @@
unsigned int len;
int rc;
- tsec = current->security;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(dir->i_security, SELINUX_LSM_ID, dsec);
+ security_get_value(dir->i_sb->s_security, SELINUX_LSM_ID, sbsec);
inode = dentry->d_inode;
if (!inode) {
@@ -1358,14 +1368,17 @@
static int selinux_ptrace(struct task_struct *parent, struct task_struct
*child)
{
- struct task_security_struct *psec = parent->security;
- struct task_security_struct *csec = child->security;
+ struct task_security_struct *psec;
+ struct task_security_struct *csec;
int rc;
rc = secondary_ops->ptrace(parent,child);
if (rc)
return rc;
+ security_get_value(parent->security, SELINUX_LSM_ID, psec);
+ security_get_value(child->security, SELINUX_LSM_ID, csec);
+
rc = task_has_perm(parent, child, PROCESS__PTRACE);
/* Save the SID of the tracing process for later use in apply_creds. */
if (!rc)
@@ -1388,12 +1401,12 @@
static int selinux_capset_check(struct task_struct *target, kernel_cap_t
*effective,
kernel_cap_t *inheritable, kernel_cap_t
*permitted)
{
- int error;
-
- error = secondary_ops->capset_check(target, effective, inheritable,
permitted);
- if (error)
- return error;
-
+ if (secondary_ops) {
+ int error = secondary_ops->capset_check(target, effective,
+ inheritable, permitted);
+ if (error)
+ return error;
+ }
return task_has_perm(current, target, PROCESS__SETCAP);
}
@@ -1402,6 +1415,9 @@
{
int error;
+ if (!secondary_ops)
+ return;
+
error = task_has_perm(current, target, PROCESS__SETCAP);
if (error)
return;
@@ -1432,7 +1448,7 @@
if (rc)
return rc;
- tsec = current->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
rc = selinux_proc_get_sid(table->de, (op == 001) ?
SECCLASS_DIR : SECCLASS_FILE, &tsid);
@@ -1541,7 +1557,9 @@
{
unsigned long free, allowed;
int rc;
- struct task_security_struct *tsec = current->security;
+ struct task_security_struct *tsec;
+
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
vm_acct_memory(pages);
@@ -1608,12 +1626,12 @@
return -ENOMEM;
memset(bsec, 0, sizeof *bsec);
- bsec->magic = SELINUX_MAGIC;
bsec->bprm = bprm;
bsec->sid = SECINITSID_UNLABELED;
bsec->set = 0;
- bprm->security = bsec;
+ security_set_value_nocheck(bprm->security, SELINUX_LSM_ID,
+ bsec);
return 0;
}
@@ -1631,13 +1649,13 @@
if (rc)
return rc;
- bsec = bprm->security;
+ security_get_value(bprm->security, SELINUX_LSM_ID, bsec);
if (bsec->set)
return 0;
- tsec = current->security;
- isec = inode->i_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
/* Default to the current task SID. */
bsec->sid = tsec->sid;
@@ -1701,12 +1719,12 @@
return secondary_ops->bprm_check_security(bprm);
}
-
static int selinux_bprm_secureexec (struct linux_binprm *bprm)
{
- struct task_security_struct *tsec = current->security;
+ struct task_security_struct *tsec;
int atsecure = 0;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
if (tsec->osid != tsec->sid) {
/* Enable secure mode for SIDs transitions unless
the noatsecure permission is granted between
@@ -1721,8 +1739,9 @@
static void selinux_bprm_free_security(struct linux_binprm *bprm)
{
- struct bprm_security_struct *bsec = bprm->security;
- bprm->security = NULL;
+ struct bprm_security_struct *bsec;
+
+ security_del_value(bprm->security, SELINUX_LSM_ID, bsec);
kfree(bsec);
}
@@ -1824,9 +1843,8 @@
secondary_ops->bprm_apply_creds(bprm, unsafe);
- tsec = current->security;
-
- bsec = bprm->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(bprm->security, SELINUX_LSM_ID, bsec);
sid = bsec->sid;
tsec->osid = tsec->sid;
@@ -2211,9 +2229,9 @@
static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int
flags)
{
- struct task_security_struct *tsec = current->security;
+ struct task_security_struct *tsec;
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec;
struct superblock_security_struct *sbsec;
struct avc_audit_data ad;
u32 newsid;
@@ -2233,7 +2251,7 @@
return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
}
- sbsec = inode->i_sb->s_security;
+ security_get_value(inode->i_sb->s_security, SELINUX_LSM_ID, sbsec);
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP;
@@ -2243,6 +2261,8 @@
AVC_AUDIT_DATA_INIT(&ad,FS);
ad.u.fs.dentry = dentry;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
FILE__RELABELFROM,
&isec->avcr, &ad);
@@ -2270,10 +2290,12 @@
void *value, size_t size, int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec;
u32 newsid;
int rc;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
+
if (strcmp(name, XATTR_NAME_SELINUX)) {
/* Not an attribute we recognize, so nothing to do. */
return;
@@ -2293,7 +2315,9 @@
static int selinux_inode_getxattr (struct dentry *dentry, char *name)
{
struct inode *inode = dentry->d_inode;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct superblock_security_struct *sbsec;
+
+ security_get_value(inode->i_sb->s_security, SELINUX_LSM_ID, sbsec);
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP;
@@ -2330,7 +2354,7 @@
static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t
size)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec;
char *context;
unsigned len;
int rc;
@@ -2340,6 +2364,8 @@
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
+
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
return rc;
@@ -2360,13 +2386,15 @@
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int
flags)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec;
u32 newsid;
int rc;
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
+
if (!value || !size)
return -EACCES;
@@ -2557,8 +2585,8 @@
struct task_security_struct *tsec;
struct file_security_struct *fsec;
- tsec = current->security;
- fsec = file->f_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(file->f_security, SELINUX_LSM_ID, fsec);
fsec->fown_sid = tsec->sid;
return 0;
@@ -2575,8 +2603,8 @@
/* struct fown_struct is never outside the context of a struct file */
file = (struct file *)((long)fown - offsetof(struct file,f_owner));
- tsec = tsk->security;
- fsec = file->f_security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
+ security_get_value(file->f_security, SELINUX_LSM_ID, fsec);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -2610,12 +2638,12 @@
struct task_security_struct *tsec1, *tsec2;
int rc;
- tsec1 = current->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec1);
rc = task_alloc_security(tsk);
if (rc)
return rc;
- tsec2 = tsk->security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec2);
tsec2->osid = tsec1->osid;
tsec2->sid = tsec1->sid;
@@ -2714,8 +2742,8 @@
{
struct task_security_struct *tsec1, *tsec2;
- tsec1 = current->security;
- tsec2 = p->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec1);
+ security_get_value(p->security, SELINUX_LSM_ID, tsec2);
/* No auditing from the setscheduler hook, since the runqueue lock
is held and the system will deadlock if we try to log an audit
@@ -2778,7 +2806,7 @@
secondary_ops->task_reparent_to_init(p);
- tsec = p->security;
+ security_get_value(p->security, SELINUX_LSM_ID, tsec);
tsec->osid = tsec->sid;
tsec->sid = SECINITSID_KERNEL;
return;
@@ -2787,8 +2815,11 @@
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct task_security_struct *tsec = p->security;
- struct inode_security_struct *isec = inode->i_security;
+ struct task_security_struct *tsec;
+ struct inode_security_struct *isec;
+
+ security_get_value(p->security, SELINUX_LSM_ID, tsec);
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
isec->sid = tsec->sid;
isec->initialized = 1;
@@ -2957,8 +2988,8 @@
struct avc_audit_data ad;
int err = 0;
- tsec = task->security;
- isec = SOCK_INODE(sock)->i_security;
+ security_get_value(task->security, SELINUX_LSM_ID, tsec);
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
if (isec->sid == SECINITSID_KERNEL)
goto out;
@@ -2981,7 +3012,7 @@
if (kern)
goto out;
- tsec = current->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
err = avc_has_perm(tsec->sid, tsec->sid,
socket_type_to_security_class(family, type,
protocol), SOCKET__CREATE, NULL, NULL);
@@ -3000,9 +3031,9 @@
err = inode_doinit(SOCK_INODE(sock));
if (err < 0)
return;
- isec = SOCK_INODE(sock)->i_security;
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
- tsec = current->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
isec->sclass = socket_type_to_security_class(family, type, protocol);
isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
@@ -3039,8 +3070,8 @@
struct sock *sk = sock->sk;
u32 sid, node_perm, addrlen;
- tsec = current->security;
- isec = SOCK_INODE(sock)->i_security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
if (family == PF_INET) {
addr4 = (struct sockaddr_in *)address;
@@ -3129,9 +3160,9 @@
err = inode_doinit(SOCK_INODE(newsock));
if (err < 0)
return err;
- newisec = SOCK_INODE(newsock)->i_security;
+ security_get_value(SOCK_INODE(newsock)->i_security, SELINUX_LSM_ID,
newisec);
- isec = SOCK_INODE(sock)->i_security;
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
newisec->sclass = isec->sclass;
newisec->sid = isec->sid;
@@ -3190,8 +3221,8 @@
if (err)
return err;
- isec = SOCK_INODE(sock)->i_security;
- other_isec = SOCK_INODE(other)->i_security;
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
+ security_get_value(SOCK_INODE(other)->i_security, SELINUX_LSM_ID,
other_isec);
AVC_AUDIT_DATA_INIT(&ad,NET);
ad.u.net.sk = other->sk;
@@ -3204,11 +3235,11 @@
return err;
/* connecting socket */
- ssec = sock->sk->sk_security;
+ security_get_value(sock->sk->sk_security, SELINUX_LSM_ID, ssec);
ssec->peer_sid = other_isec->sid;
/* server child socket */
- ssec = newsk->sk_security;
+ security_get_value(newsk->sk_security, SELINUX_LSM_ID, ssec);
ssec->peer_sid = isec->sid;
return 0;
@@ -3222,8 +3253,8 @@
struct avc_audit_data ad;
int err;
- isec = SOCK_INODE(sock)->i_security;
- other_isec = SOCK_INODE(other)->i_security;
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
+ security_get_value(SOCK_INODE(other)->i_security, SELINUX_LSM_ID,
other_isec);
AVC_AUDIT_DATA_INIT(&ad,NET);
ad.u.net.sk = other->sk;
@@ -3265,7 +3296,7 @@
inode = SOCK_INODE(sock);
if (inode) {
struct inode_security_struct *isec;
- isec = inode->i_security;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
sock_sid = isec->sid;
sock_class = isec->sclass;
}
@@ -3349,13 +3380,13 @@
struct sk_security_struct *ssec;
struct inode_security_struct *isec;
- isec = SOCK_INODE(sock)->i_security;
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
err = -ENOPROTOOPT;
goto out;
}
- ssec = sock->sk->sk_security;
+ security_get_value(sock->sk->sk_security, SELINUX_LSM_ID, ssec);
err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
if (err)
@@ -3394,7 +3425,9 @@
u32 perm;
struct nlmsghdr *nlh;
struct socket *sock = sk->sk_socket;
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ struct inode_security_struct *isec;
+
+ security_get_value(SOCK_INODE(sock)->i_security, SELINUX_LSM_ID, isec);
if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL;
@@ -3451,7 +3484,7 @@
if (err)
goto out;
- isec = inode->i_security;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
switch (isec->sclass) {
case SECCLASS_UDP_SOCKET:
@@ -3577,15 +3610,16 @@
struct kern_ipc_perm *perm,
u16 sclass)
{
- struct task_security_struct *tsec = task->security;
+ struct task_security_struct *tsec;
struct ipc_security_struct *isec;
+ security_get_value(task->security, SELINUX_LSM_ID, tsec);
+
isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
if (!isec)
return -ENOMEM;
memset(isec, 0, sizeof(struct ipc_security_struct));
- isec->magic = SELINUX_MAGIC;
isec->sclass = sclass;
isec->ipc_perm = perm;
if (tsec) {
@@ -3593,18 +3627,18 @@
} else {
isec->sid = SECINITSID_UNLABELED;
}
- perm->security = isec;
+ security_set_value_nocheck(perm->security, SELINUX_LSM_ID,
+ isec);
return 0;
}
static void ipc_free_security(struct kern_ipc_perm *perm)
{
- struct ipc_security_struct *isec = perm->security;
- if (!isec || isec->magic != SELINUX_MAGIC)
- return;
+ struct ipc_security_struct *isec;
+
+ security_del_value(perm->security, SELINUX_LSM_ID, isec);
- perm->security = NULL;
kfree(isec);
}
@@ -3617,21 +3651,20 @@
return -ENOMEM;
memset(msec, 0, sizeof(struct msg_security_struct));
- msec->magic = SELINUX_MAGIC;
msec->msg = msg;
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
+ security_set_value_nocheck(msg->security, SELINUX_LSM_ID,
+ msec);
return 0;
}
static void msg_msg_free_security(struct msg_msg *msg)
{
- struct msg_security_struct *msec = msg->security;
- if (!msec || msec->magic != SELINUX_MAGIC)
- return;
+ struct msg_security_struct *msec;
+
+ security_del_value(msg->security, SELINUX_LSM_ID, msec);
- msg->security = NULL;
kfree(msec);
}
@@ -3642,8 +3675,8 @@
struct ipc_security_struct *isec;
struct avc_audit_data ad;
- tsec = current->security;
- isec = ipc_perms->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(ipc_perms->security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = ipc_perms->key;
@@ -3674,8 +3707,8 @@
if (rc)
return rc;
- tsec = current->security;
- isec = msq->q_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(msq->q_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key;
@@ -3700,8 +3733,8 @@
struct ipc_security_struct *isec;
struct avc_audit_data ad;
- tsec = current->security;
- isec = msq->q_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(msq->q_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key;
@@ -3746,9 +3779,9 @@
struct avc_audit_data ad;
int rc;
- tsec = current->security;
- isec = msq->q_perm.security;
- msec = msg->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(msq->q_perm.security, SELINUX_LSM_ID, isec);
+ security_get_value(msg->security, SELINUX_LSM_ID, msec);
/*
* First time through, need to assign label to the message
@@ -3796,9 +3829,9 @@
struct avc_audit_data ad;
int rc;
- tsec = target->security;
- isec = msq->q_perm.security;
- msec = msg->security;
+ security_get_value(target->security, SELINUX_LSM_ID, tsec);
+ security_get_value(msq->q_perm.security, SELINUX_LSM_ID, isec);
+ security_get_value(msg->security, SELINUX_LSM_ID, msec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key;
@@ -3825,8 +3858,8 @@
if (rc)
return rc;
- tsec = current->security;
- isec = shp->shm_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(shp->shm_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = shp->shm_perm.key;
@@ -3851,8 +3884,8 @@
struct ipc_security_struct *isec;
struct avc_audit_data ad;
- tsec = current->security;
- isec = shp->shm_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(shp->shm_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = shp->shm_perm.key;
@@ -3924,8 +3957,8 @@
if (rc)
return rc;
- tsec = current->security;
- isec = sma->sem_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(sma->sem_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = sma->sem_perm.key;
@@ -3950,8 +3983,8 @@
struct ipc_security_struct *isec;
struct avc_audit_data ad;
- tsec = current->security;
- isec = sma->sem_perm.security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
+ security_get_value(sma->sem_perm.security, SELINUX_LSM_ID, isec);
AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = sma->sem_perm.key;
@@ -4017,11 +4050,12 @@
static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec;
u16 sclass = SECCLASS_IPC;
u32 av = 0;
- if (isec && isec->magic == SELINUX_MAGIC)
+ security_get_value(ipcp->security, SELINUX_LSM_ID, isec);
+ if (isec)
sclass = isec->sclass;
av = 0;
@@ -4039,7 +4073,7 @@
/* module stacking operations */
int selinux_register_security (const char *name, struct security_operations
*ops)
{
- if (secondary_ops != original_ops) {
+ if (secondary_ops != &nul_security_ops) {
printk(KERN_INFO "%s: There is already a secondary security "
"module registered.\n", __FUNCTION__);
return -EINVAL;
@@ -4048,8 +4082,7 @@
secondary_ops = ops;
printk(KERN_INFO "%s: Registering secondary module %s\n",
- __FUNCTION__,
- name);
+ __FUNCTION__, name);
return 0;
}
@@ -4062,7 +4095,7 @@
return -EINVAL;
}
- secondary_ops = original_ops;
+ secondary_ops = &nul_security_ops;
return 0;
}
@@ -4090,7 +4123,7 @@
if (!size)
return -ERANGE;
- tsec = p->security;
+ security_get_value(p->security, SELINUX_LSM_ID, tsec);
if (!strcmp(name, "current"))
sid = tsec->sid;
@@ -4160,7 +4193,7 @@
operation. See selinux_bprm_set_security for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = p->security;
+ security_get_value(p->security, SELINUX_LSM_ID, tsec);
if (!strcmp(name, "exec"))
tsec->exec_sid = sid;
else if (!strcmp(name, "fscreate"))
@@ -4247,8 +4280,8 @@
.task_alloc_security = selinux_task_alloc_security,
.task_free_security = selinux_task_free_security,
.task_setuid = selinux_task_setuid,
- .task_post_setuid = selinux_task_post_setuid,
.task_setgid = selinux_task_setgid,
+ .task_post_setuid = selinux_task_post_setuid,
.task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid,
.task_getsid = selinux_task_getsid,
@@ -4319,6 +4352,9 @@
#endif
};
+void security_fixup_ops (struct security_operations *ops);
+
+#define MY_NAME "selinux"
__init int selinux_init(void)
{
struct task_security_struct *tsec;
@@ -4333,16 +4369,25 @@
/* Set the security state for the initial task. */
if (task_alloc_security(current))
panic("SELinux: Failed to initialize initial task.\n");
- tsec = current->security;
+ security_get_value(current->security, SELINUX_LSM_ID, tsec);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
avc_init();
- original_ops = secondary_ops = security_ops;
- if (!secondary_ops)
- panic ("SELinux: No initial security operations\n");
- if (register_security (&selinux_ops))
- panic("SELinux: Unable to register with kernel.\n");
+ security_fixup_ops(&nul_security_ops);
+ secondary_ops = &nul_security_ops;
+
+ if (register_security (&selinux_ops)) {
+ secondary = 1;
+ if (mod_reg_security( MY_NAME, &selinux_ops)) {
+ printk(KERN_ERR "%s: Failed to register with primary LSM.\n",
+ __FUNCTION__);
+ panic("SELinux: Unable to register with kernel.\n");
+ } else {
+ printk(KERN_ERR "%s: registered with primary LSM.\n",
+ __FUNCTION__);
+ }
+ }
if (selinux_enforcing) {
printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
@@ -4473,8 +4518,15 @@
selinux_disabled = 1;
- /* Reset security_ops to the secondary module, dummy or capability. */
- security_ops = secondary_ops;
+ /* Unregister selinux */
+ if (secondary) {
+ if (mod_unreg_security(MY_NAME, &selinux_ops))
+ printk(KERN_INFO "Failure unregistering selinux.\n");
+ secondary = 0;
+ } else {
+ if (unregister_security(&selinux_ops))
+ printk(KERN_INFO "Failure unregistering selinux.\n");
+ }
/* Unregister netfilter hooks. */
selinux_nf_ip_exit();
Index: linux-2.6.10-rc1-bk19-newchain/security/selinux/include/objsec.h
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/selinux/include/objsec.h 2004-11-10
04:22:40.000000000 -0600
+++ linux-2.6.10-rc1-bk19-newchain/security/selinux/include/objsec.h 2004-11-10 04:26:21.000000000
-0600
@@ -23,11 +23,14 @@
#include <linux/fs.h>
#include <linux/binfmts.h>
#include <linux/in.h>
+#include <linux/security.h>
#include "flask.h"
#include "avc.h"
+#define SELINUX_LSM_ID 0xB65
+
struct task_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct task_struct *task; /* back pointer to task object */
u32 osid; /* SID prior to last execve */
u32 sid; /* current SID */
@@ -38,7 +41,7 @@
};
struct inode_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct inode *inode; /* back pointer to inode object */
struct list_head list; /* list of inode_security_struct */
u32 task_sid; /* SID of creating task */
@@ -51,7 +54,7 @@
};
struct file_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct file *file; /* back pointer to file object */
u32 sid; /* SID of open file description */
u32 fown_sid; /* SID of file owner (for SIGIO) */
@@ -60,7 +63,7 @@
};
struct superblock_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct super_block *sb; /* back pointer to sb object */
struct list_head list; /* list of superblock_security_struct */
u32 sid; /* SID of file system */
@@ -74,14 +77,14 @@
};
struct msg_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct msg_msg *msg; /* back pointer */
u32 sid; /* SID of message */
struct avc_entry_ref avcr; /* reference to permissions */
};
struct ipc_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct kern_ipc_perm *ipc_perm; /* back pointer */
u16 sclass; /* security class of this object */
u32 sid; /* SID of IPC resource */
@@ -89,20 +92,21 @@
};
struct bprm_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct linux_binprm *bprm; /* back pointer to bprm object */
u32 sid; /* SID for transformed process */
unsigned char set;
};
struct netif_security_struct {
+ security_info;
struct net_device *dev; /* back pointer */
u32 if_sid; /* SID for this interface */
u32 msg_sid; /* default SID for messages received on this interface */
};
struct sk_security_struct {
- unsigned long magic; /* magic number for this module */
+ security_info;
struct sock *sk; /* back pointer to sk object */
u32 peer_sid; /* SID of peer */
};
Index: linux-2.6.10-rc1-bk19-newchain/security/selinux/selinuxfs.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/selinux/selinuxfs.c 2004-11-10 04:22:40.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/security/selinux/selinuxfs.c 2004-11-10 04:41:25.000000000
-0600
@@ -46,7 +46,7 @@
{
struct task_security_struct *tsec;
- tsec = tsk->security;
+ security_get_value(tsk->security, SELINUX_LSM_ID, tsec);
if (!tsec)
return -EACCES;
@@ -856,7 +856,7 @@
ret = -ENAMETOOLONG;
goto err;
}
- isec = (struct inode_security_struct*)inode->i_security;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
goto err;
isec->sid = sid;
@@ -934,7 +934,7 @@
inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO);
if (!inode)
goto out;
- isec = (struct inode_security_struct*)inode->i_security;
+ security_get_value(inode->i_security, SELINUX_LSM_ID, isec);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
Index: linux-2.6.10-rc1-bk19-newchain/security/seclvl.c
===================================================================
--- linux-2.6.10-rc1-bk19-newchain.orig/security/seclvl.c 2004-11-10 19:56:02.000000000
-0600
+++ linux-2.6.10-rc1-bk19-newchain/security/seclvl.c 2004-11-10 19:58:27.000000000
-0600
@@ -35,6 +35,7 @@
#include <linux/sysfs.h>
#define SHA1_DIGEST_SIZE 20
+#define SECLVL_LSM_ID 0xF45
/**
* Module parameter that defines the initial secure level.
@@ -485,11 +486,18 @@
return 0;
}
+struct seclvl_i_sec {
+ security_info;
+ struct task_struct *task;
+};
+
/* claim the blockdev to exclude mounters, release on file close */
static int seclvl_bd_claim(struct inode *inode)
{
int holder;
struct block_device *bdev = NULL;
+ struct seclvl_i_sec *sec, *osec;
+
dev_t dev = inode->i_rdev;
bdev = open_by_devnum(dev, FMODE_WRITE);
if (bdev) {
@@ -498,7 +506,14 @@
return -EPERM;
}
/* claimed, mark it to release on close */
- inode->i_security = current;
+ sec = kmalloc(sizeof(struct seclvl_i_sec), GFP_KERNEL);
+ if (!sec) {
+ blkdev_put(bdev);
+ return -EPERM;
+ }
+ sec->task = current;
+ security_set_value(inode->i_security, SECLVL_LSM_ID, sec, osec);
+ kfree(osec);
}
return 0;
}
@@ -506,12 +521,21 @@
/* release the blockdev if you claimed it */
static void seclvl_bd_release(struct inode *inode)
{
- if (inode && S_ISBLK(inode->i_mode) && inode->i_security == current) {
- struct block_device *bdev = inode->i_bdev;
- if (bdev) {
- bd_release(bdev);
- blkdev_put(bdev);
- inode->i_security = NULL;
+ if (inode && S_ISBLK(inode->i_mode)) {
+ struct seclvl_i_sec *sec;
+
+ security_get_value(inode->i_security, SECLVL_LSM_ID, sec);
+ if (!sec)
+ return;
+ if (sec->task == current) {
+ struct block_device *bdev = inode->i_bdev;
+ if (bdev) {
+ bd_release(bdev);
+ blkdev_put(bdev);
+ security_del_value(inode->i_security,
+ SECLVL_LSM_ID, sec);
+ kfree(sec);
+ }
}
}
}
L M B E N C H 2 . 0 S U M M A R Y
------------------------------------
Basic system parameters
----------------------------------------------------
Host OS Description Mhz
--------- ------------- ----------------------- ----
ereshkiga Linux 2.6.10- i686-pc-linux-gnu 2974
ereshkiga Linux 2.6.10- i686-pc-linux-gnu 2974
ereshkiga Linux 2.6.10- i686-pc-linux-gnu 2974
ereshkiga Linux 2.6.10- i686-pc-linux-gnu 2974
Processor, Processes - times in microseconds - smaller is better
------------------------------------------------------
Host OS Mhz null null open selct
call I/O stat clos TCP
--------- ------------- ---- ---- ---- ---- ---- -----
ereshkiga Linux 2.6.10- 2974 0.14 0.31 2.48 3.03 4.789
ereshkiga Linux 2.6.10- 2974 0.14 0.32 2.47 3.12 4.784
ereshkiga Linux 2.6.10- 2974 0.14 0.32 2.52 3.09 4.828
ereshkiga Linux 2.6.10- 2974 0.14 0.31 2.44 3.07
MEAN 0.315 2.478 3.078 4.8003
STDEV 0.005 .0286 .0327 .01967
CI (95%)
----------
sig sig fork exec sh
inst hndl proc proc proc
---- ---- ---- ---- ----
0.51 1.60 73.2 352. 1662
0.51 1.60 73.3 361. 1666
0.51 1.59 73.3 353. 1652
0.54 1.58 74.0 353. 1655
MEAN 0.518 1.593 73.45 354.8 1658.8
STDEV .0130 .0083 0.320 3.63 5.54
CI (95%)
Context switching - times in microseconds - smaller is better
-------------------------------------------------------------
Host OS 2p/0K 2p/16K 2p/64K 8p/16K 8p/64K 16p/16K 16p/64K
ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw
--------- ------------- ----- ------ ------ ------ ------ ------- -------
ereshkiga Linux 2.6.10- 1.490 2.3200 4.4300 3.1400 28.4 6.73000 36.3
ereshkiga Linux 2.6.10- 1.510 2.3000 4.3400 3.7100 30.1 6.95000 36.4
ereshkiga Linux 2.6.10- 1.470 2.3500 4.3500 3.2700 26.3 6.95000 36.0
ereshkiga Linux 2.6.10- 1.540 2.2700 4.4000 3.0400 26.9 6.82000 36.4
MEAN 1.503 2.31 4.38 3.29 27.9 6.86 36.28
STDEV .0259 .029 .037 .256 1.47 .093 0.164
CI (95%)
*Local* Communication latencies in microseconds - smaller is better
-------------------------------------------------------------------
Host OS 2p/0K Pipe AF UDP RPC/ TCP RPC/ TCP
ctxsw UNIX UDP TCP conn
--------- ------------- ----- ----- ---- ----- ----- ----- ----- ----
ereshkiga Linux 2.6.10- 1.490 4.901 8.68 15.7 22.7 17.9 26.1 60.6
ereshkiga Linux 2.6.10- 1.510 4.422 8.74 15.6 22.9 17.9 26.2 61.3
ereshkiga Linux 2.6.10- 1.470 4.881 8.83 15.7 19.8 18.0 26.0 60.3
ereshkiga Linux 2.6.10- 1.540 4.799 9.94 15.7 19.8 18.0 26.3 61.2
MEAN 1.50 4.751 9.05 15.675 21.3 17.95 26.15 60.85
STDEV .026 .1936 .518 0.0433 1.50 0.05 0.112 0.415
CI (95%)
File & VM system latencies in microseconds - smaller is better
--------------------------------------------------------------
Host OS 0K File 10K File Mmap Prot Page
Create Delete Create Delete Latency Fault Fault
--------- ------------- ------ ------ ------ ------ ------- ----- -----
ereshkiga Linux 2.6.10- 19.1 9.3440 46.7 15.8 1016.0 0.662 1.00000
ereshkiga Linux 2.6.10- 18.3 9.3090 46.7 15.7 1015.0 0.597 1.00000
ereshkiga Linux 2.6.10- 18.2 9.3090 46.1 15.7 1043.0 0.696 1.00000
ereshkiga Linux 2.6.10- 18.2 9.2510 46.3 15.7 1018.0 0.649 1.00000
MEAN 18.45 9.303 46.45 15.73 1023 0.651
STDEV 0.377 .0334 0.260 0.043 11.6 0.036
CI (95%)
*Local* Communication bandwidths in MB/s - bigger is better
----------------------------------------------
Host Pipe AF TCP File Mmap Bcopy Bcopy Mem Mem
UNIX reread reread (libc) (hand) read write
--------- ---- ---- ---- ------ ------ ------ ------ ---- -----
ereshkiga 1199 2689 561. 1696.5 1894.3 595.9 619.4 1914 863.8
ereshkiga 1183 2962 624. 1686.0 1914.6 601.9 629.2 1913 869.3
ereshkiga 1152 2563 569. 1685.0 1913.8 599.4 630.2 1913 882.6
ereshkiga 1149 2502 593. 1678.7 1913.2 610.5 630.5 1914 877.5
MEAN 1170 2679 587 1686.6 1909.0 601.9 627.3 1913.5 873.3
STDEV 21 177 25 6.4 8.5 5.4 4.6 .5 7.3
CI (95%)
Memory latencies in nanoseconds - smaller is better
(WARNING - may not be correct, check graphs)
---------------------------------------------------
Host OS Mhz L1 $ L2 $ Main mem Guesses
--------- ------------- ---- ----- ------ -------- -------
ereshkiga Linux 2.6.10- 2974 0.671 6.1710 112.4
ereshkiga Linux 2.6.10- 2974 0.671 6.1790 112.4
ereshkiga Linux 2.6.10- 2974 0.681 6.1710 112.7
ereshkiga Linux 2.6.10- 2974 0.671 6.1700 112.4
L M B E N C H 2 . 0 S U M M A R Y
------------------------------------
Basic system parameters
----------------------------------------------------
Host OS Description Mhz
--------- ------------- ----------------------- ----
ereshkiga Linux 2.6.10- results-newchain-stacke 2974
ereshkiga Linux 2.6.10- results-newchain-stacke 2974
ereshkiga Linux 2.6.10- results-newchain-stacke 2974
ereshkiga Linux 2.6.10- results-newchain-stacke 2974
Processor, Processes - times in microseconds - smaller is better
----------------------------------------------------------------
Host OS Mhz null null open selct sig sig fork exec sh
call I/O stat clos TCP inst hndl proc proc
proc
--------- ------------- ---- ---- ---- ---- ---- ----- ---- ---- ---- ----
----
ereshkiga Linux 2.6.10- 2974 0.14 0.49 3.40 4.14 4.753 0.51 1.61 78.7 383.
1705
ereshkiga Linux 2.6.10- 2974 0.14 0.48 3.39 4.23 0.51 1.62 77.9 368.
1718
ereshkiga Linux 2.6.10- 2974 0.14 0.48 3.37 4.36 0.51 1.60 76.4 379.
1708
ereshkiga Linux 2.6.10- 2974 0.14 0.49 3.53 4.29 4.764 0.51 1.59 77.6 366.
1714
MEAN 3.42 4.26 4.759 0.51 1.61 77.7 374
1711
STDEV 0.06 0.08 0.006 0.01 0.8 7
5
CI (95%)
Context switching - times in microseconds - smaller is better
-------------------------------------------------------------
Host OS 2p/0K 2p/16K 2p/64K 8p/16K 8p/64K 16p/16K 16p/64K
ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw
--------- ------------- ----- ------ ------ ------ ------ ------- -------
ereshkiga Linux 2.6.10- 1.560 2.4100 4.5100 3.2000 33.9 6.81000 36.5
ereshkiga Linux 2.6.10- 1.690 2.4100 4.5100 3.2200 28.3 7.06000 38.4
ereshkiga Linux 2.6.10- 1.590 2.4600 4.4900 3.3600 26.5 6.05000 38.8
ereshkiga Linux 2.6.10- 1.620 2.4300 4.5200 3.1700 29.0 6.40000 36.5
MEAN 1.615 2.43 4.51 3.24 29.4 6.58 37.6
STDEV 0.048 0.02 0.01 0.07 2.7 0.39 1.1
CI (95%)
*Local* Communication latencies in microseconds - smaller is better
-------------------------------------------------------------------
Host OS 2p/0K Pipe AF UDP RPC/ TCP RPC/ TCP
ctxsw UNIX UDP TCP conn
--------- ------------- ----- ----- ---- ----- ----- ----- ----- ----
ereshkiga Linux 2.6.10- 1.560 5.598 10.3 16.9 24.1 19.9 27.9 65.9
ereshkiga Linux 2.6.10- 1.690 5.714 10.4 17.0 23.8 20.2 27.5 66.4
ereshkiga Linux 2.6.10- 1.590 5.676 11.6 17.0 23.7 19.9 27.5 66.1
ereshkiga Linux 2.6.10- 1.620 5.732 11.9 17.1 23.9 20.1 27.9 65.9
MEAN 1.615 5.680 11.05 17.0 23.9 20.0 27.7 66.1
STDEV 0.048 0.051 0.71 0.1 0.1 0.1 0.2 0.2
CI (95%)
File & VM system latencies in microseconds - smaller is better
--------------------------------------------------------------
Host OS 0K File 10K File Mmap Prot Page
Create Delete Create Delete Latency Fault Fault
--------- ------------- ------ ------ ------ ------ ------- ----- -----
ereshkiga Linux 2.6.10- 21.8 10.3 49.4 16.8 1028.0 0.648 1.00000
ereshkiga Linux 2.6.10- 21.9 10.3 50.6 16.8 1023.0 0.632 1.00000
ereshkiga Linux 2.6.10- 21.8 10.2 50.1 16.5 1031.0 0.669 1.00000
ereshkiga Linux 2.6.10- 22.0 10.3 49.6 16.8 1027.0 0.656 1.00000
MEAN 21.9 10.3 49.9 16.7 1027.3 0.651
STDEV 0.1 0.04 0.5 0.1 2.9 0.013
CI (95%)
*Local* Communication bandwidths in MB/s - bigger is better
----------------------------------------------
Host Pipe AF TCP File Mmap Bcopy Bcopy Mem Mem
UNIX reread reread (libc) (hand) read write
--------- ---- ---- ---- ------ ------ ------ ------ ---- -----
ereshkiga 1181 2709 593. 1686.7 1913.7 597.1 627.3 1913 862.7
ereshkiga 1192 2821 623. 1677.2 1914.3 603.1 629.9 1914 874.5
ereshkiga 1177 2717 560. 1673.5 1912.8 609.9 628.8 1913 886.3
ereshkiga 1122 2835 570. 1668.7 1913.2 615.5 630.5 1913 882.6
MEAN 1168 2771 587 1676.5 1913.5 606.4 629.1 1913.24 876.5
STDEV 27 58 24 6.6 0.6 6.9 1.2 0.4 9.1
CI (95%)
Memory latencies in nanoseconds - smaller is better
(WARNING - may not be correct, check graphs)
---------------------------------------------------
Host OS Mhz L1 $ L2 $ Main mem Guesses
--------- ------------- ---- ----- ------ -------- -------
ereshkiga Linux 2.6.10- 2974 0.671 6.1700 112.4
ereshkiga Linux 2.6.10- 2974 0.678 6.1710 112.6
ereshkiga Linux 2.6.10- 2974 0.703 6.1710 112.8
ereshkiga Linux 2.6.10- 2974 0.671 6.1710 112.3
L M B E N C H 2 . 0 S U M M A R Y
------------------------------------
Basic system parameters
----------------------------------------------------
Host OS Description Mhz
--------- ------------- ----------------------- ----
ereshkiga Linux 2.6.10- results-newchain-mulsta 2974
ereshkiga Linux 2.6.10- results-newchain-mulsta 2974
ereshkiga Linux 2.6.10- results-newchain-mulsta 2974
ereshkiga Linux 2.6.10- results-newchain-mulsta 2974
Processor, Processes - times in microseconds - smaller is better
----------------------------------------------------------------
Host OS Mhz null null open selct sig sig fork exec sh
call I/O stat clos TCP inst hndl proc proc
proc
--------- ------------- ---- ---- ---- ---- ---- ----- ---- ---- ---- ----
----
ereshkiga Linux 2.6.10- 2974 0.14 0.49 3.98 4.90 4.772 0.51 1.62 81.1 399.
1771
ereshkiga Linux 2.6.10- 2974 0.14 0.49 3.92 4.85 4.558 0.54 1.59 81.1 388.
1747
ereshkiga Linux 2.6.10- 2974 0.14 0.50 3.95 4.88 4.753 0.51 1.60 79.2 397.
1739
ereshkiga Linux 2.6.10- 2974 0.14 0.50 3.97 4.88 4.906 0.51 1.60 80.3 405.
1781
MEAN 3.96 3.96 4.88 4.747 0.52 1.60 80.4 397.
1760
STDEV 0.02 0.02 0.02 0.124 0.01 0.01 0.8 6.
17
CI (95%)
Context switching - times in microseconds - smaller is better
-------------------------------------------------------------
Host OS 2p/0K 2p/16K 2p/64K 8p/16K 8p/64K 16p/16K 16p/64K
ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw ctxsw
--------- ------------- ----- ------ ------ ------ ------ ------- -------
ereshkiga Linux 2.6.10- 1.670 2.4800 4.5400 2.9000 32.2 6.66000 36.8
ereshkiga Linux 2.6.10- 1.650 2.4500 4.5500 3.4600 27.7 7.21000 36.7
ereshkiga Linux 2.6.10- 1.620 2.4700 4.5800 3.1700 31.9 7.33000 36.5
ereshkiga Linux 2.6.10- 1.600 2.4400 4.5000 3.1200 32.9 6.22000 36.9
MEAN 1.635 2.46 4.54 3.16 31.2 6.86 36.7
STDEV 0.027 0.02 0.03 0.20 2.0 0.45 0.1
CI (95%)
*Local* Communication latencies in microseconds - smaller is better
-------------------------------------------------------------------
Host OS 2p/0K Pipe AF UDP RPC/ TCP RPC/ TCP
ctxsw UNIX UDP TCP conn
--------- ------------- ----- ----- ---- ----- ----- ----- ----- ----
ereshkiga Linux 2.6.10- 1.670 5.856 12.1 17.2 23.8 20.1 27.8 66.6
ereshkiga Linux 2.6.10- 1.650 5.934 11.9 17.0 23.9 20.1 27.7 66.0
ereshkiga Linux 2.6.10- 1.620 6.002 10.6 17.1 24.1 20.3 27.8 67.1
ereshkiga Linux 2.6.10- 1.600 5.875 11.7 16.9 24.1 17.8 28.0 66.3
MEAN 1.64 5.917 11.6 17.1 24.0 19.6 27.8 66.5
STDEV 0.03 0.057 0.6 0.1 0.1 1.0 0.1 0.4
CI (95%)
File & VM system latencies in microseconds - smaller is better
--------------------------------------------------------------
Host OS 0K File 10K File Mmap Prot Page
Create Delete Create Delete Latency Fault Fault
--------- ------------- ------ ------ ------ ------ ------- ----- -----
ereshkiga Linux 2.6.10- 22.4 10.7 50.8 17.5 1028.0 0.583 1.00000
ereshkiga Linux 2.6.10- 22.4 10.7 51.0 17.4 1030.0 0.612 1.00000
ereshkiga Linux 2.6.10- 22.4 10.7 51.4 17.4 1021.0 0.628 1.00000
ereshkiga Linux 2.6.10- 22.5 10.7 51.5 17.4 1037.0 0.646 1.00000
MEAN 22.43 10.7 51.2 17.43 1029 0.617
STDEV 0.04 0 0.3 0.04 6 0.023
CI (95%)
*Local* Communication bandwidths in MB/s - bigger is better
----------------------------------------------
Host Pipe AF TCP File Mmap Bcopy Bcopy Mem Mem
UNIX reread reread (libc) (hand) read write
--------- ---- ---- ---- ------ ------ ------ ------ ---- -----
ereshkiga 1164 2471 599. 1681.3 1912.7 594.8 626.1 1912 862.6
ereshkiga 1161 2726 584. 1676.2 1914.3 601.2 625.6 1913 874.6
ereshkiga 1168 2502 551. 1672.6 1894.7 609.6 629.9 1913 876.1
ereshkiga 1175 2799 622. 1664.0 1895.1 610.5 628.5 1912 879.2
MEAN 1167 2625 589 1673.5 1904.2 604.0 627.5 1913 873.1
STDEV 5 141 26 6.3 9.3 6.4 1.8 1 6.3
CI (95%)
Memory latencies in nanoseconds - smaller is better
(WARNING - may not be correct, check graphs)
---------------------------------------------------
Host OS Mhz L1 $ L2 $ Main mem Guesses
--------- ------------- ---- ----- ------ -------- -------
ereshkiga Linux 2.6.10- 2974 0.670 6.1690 112.5
ereshkiga Linux 2.6.10- 2974 0.689 6.1700 112.4
ereshkiga Linux 2.6.10- 2974 0.670 6.1710 112.5
ereshkiga Linux 2.6.10- 2974 0.671 6.1700 112.4
|
||||||||||||||||