* [RFC PATCH] selinux: reduce the number of calls to synchronize_net() when flushing caches
@ 2014-06-27 20:41 Paul Moore
2014-07-03 1:57 ` Jaejyn Shin
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2014-06-27 20:41 UTC (permalink / raw
To: selinux; +Cc: Jaejyn Shin
When flushing the AVC, such as during a policy load, the various
network caches are also flushed, with each making a call to
synchronize_net() which has shown to be expensive in some cases.
This patch consolidates the network cache flushes into a single AVC
callback which only calls synchronize_net() once for each AVC cache
flush.
Reported-by: Jaejyn Shin <flagon22bass@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/hooks.c | 14 ++++++++++++++
security/selinux/include/netif.h | 2 ++
security/selinux/include/netnode.h | 2 ++
security/selinux/include/netport.h | 2 ++
security/selinux/netif.c | 15 +--------------
security/selinux/netnode.c | 15 +--------------
security/selinux/netport.c | 15 +--------------
7 files changed, 23 insertions(+), 42 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 336f0a0..39bc8c9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
}
+static int selinux_netcache_avc_callback(u32 event)
+{
+ if (event == AVC_CALLBACK_RESET) {
+ sel_netif_flush();
+ sel_netnode_flush();
+ sel_netport_flush();
+ synchronize_net();
+ }
+ return 0;
+}
+
/*
* initialise the security for the init task
*/
@@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
if (register_security(&selinux_ops))
panic("SELinux: Unable to register with kernel.\n");
+ if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
+ panic("SELinux: Unable to register AVC netcache callback\n");
+
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 43d5072..57c6eae 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -17,6 +17,8 @@
#ifndef _SELINUX_NETIF_H_
#define _SELINUX_NETIF_H_
+void sel_netif_flush(void);
+
int sel_netif_sid(int ifindex, u32 *sid);
#endif /* _SELINUX_NETIF_H_ */
diff --git a/security/selinux/include/netnode.h b/security/selinux/include/netnode.h
index df7a5ed..937668d 100644
--- a/security/selinux/include/netnode.h
+++ b/security/selinux/include/netnode.h
@@ -27,6 +27,8 @@
#ifndef _SELINUX_NETNODE_H
#define _SELINUX_NETNODE_H
+void sel_netnode_flush(void);
+
int sel_netnode_sid(void *addr, u16 family, u32 *sid);
#endif
diff --git a/security/selinux/include/netport.h b/security/selinux/include/netport.h
index 4d965b8..d1ce896 100644
--- a/security/selinux/include/netport.h
+++ b/security/selinux/include/netport.h
@@ -26,6 +26,8 @@
#ifndef _SELINUX_NETPORT_H
#define _SELINUX_NETPORT_H
+void sel_netport_flush(void);
+
int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid);
#endif
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 694e9e4..3c3de4c 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -240,7 +240,7 @@ static void sel_netif_kill(int ifindex)
* Remove all entries from the network interface table.
*
*/
-static void sel_netif_flush(void)
+void sel_netif_flush(void)
{
int idx;
struct sel_netif *netif;
@@ -252,15 +252,6 @@ static void sel_netif_flush(void)
spin_unlock_bh(&sel_netif_lock);
}
-static int sel_netif_avc_callback(u32 event)
-{
- if (event == AVC_CALLBACK_RESET) {
- sel_netif_flush();
- synchronize_net();
- }
- return 0;
-}
-
static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
unsigned long event, void *ptr)
{
@@ -291,10 +282,6 @@ static __init int sel_netif_init(void)
register_netdevice_notifier(&sel_netif_netdev_notifier);
- err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
- if (err)
- panic("avc_add_callback() failed, error %d\n", err);
-
return err;
}
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 03a72c3..ddf3152 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -283,7 +283,7 @@ int sel_netnode_sid(void *addr, u16 family, u32 *sid)
* Remove all entries from the network address table.
*
*/
-static void sel_netnode_flush(void)
+void sel_netnode_flush(void)
{
unsigned int idx;
struct sel_netnode *node, *node_tmp;
@@ -300,15 +300,6 @@ static void sel_netnode_flush(void)
spin_unlock_bh(&sel_netnode_lock);
}
-static int sel_netnode_avc_callback(u32 event)
-{
- if (event == AVC_CALLBACK_RESET) {
- sel_netnode_flush();
- synchronize_net();
- }
- return 0;
-}
-
static __init int sel_netnode_init(void)
{
int iter;
@@ -322,10 +313,6 @@ static __init int sel_netnode_init(void)
sel_netnode_hash[iter].size = 0;
}
- ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET);
- if (ret != 0)
- panic("avc_add_callback() failed, error %d\n", ret);
-
return ret;
}
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index d353797..73ac678 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -217,7 +217,7 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
* Remove all entries from the network address table.
*
*/
-static void sel_netport_flush(void)
+void sel_netport_flush(void)
{
unsigned int idx;
struct sel_netport *port, *port_tmp;
@@ -234,15 +234,6 @@ static void sel_netport_flush(void)
spin_unlock_bh(&sel_netport_lock);
}
-static int sel_netport_avc_callback(u32 event)
-{
- if (event == AVC_CALLBACK_RESET) {
- sel_netport_flush();
- synchronize_net();
- }
- return 0;
-}
-
static __init int sel_netport_init(void)
{
int iter;
@@ -256,10 +247,6 @@ static __init int sel_netport_init(void)
sel_netport_hash[iter].size = 0;
}
- ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET);
- if (ret != 0)
- panic("avc_add_callback() failed, error %d\n", ret);
-
return ret;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFC PATCH] selinux: reduce the number of calls to synchronize_net() when flushing caches
2014-06-27 20:41 [RFC PATCH] selinux: reduce the number of calls to synchronize_net() when flushing caches Paul Moore
@ 2014-07-03 1:57 ` Jaejyn Shin
2014-07-07 19:37 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Jaejyn Shin @ 2014-07-03 1:57 UTC (permalink / raw
To: Paul Moore; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 7126 bytes --]
Thank you for your effort !!
The booting time might not be a problem for other people, but it was a
serious problem for me.
Thank you~
Best regards
2014-06-28 5:41 GMT+09:00 Paul Moore <pmoore@redhat.com>:
> When flushing the AVC, such as during a policy load, the various
> network caches are also flushed, with each making a call to
> synchronize_net() which has shown to be expensive in some cases.
> This patch consolidates the network cache flushes into a single AVC
> callback which only calls synchronize_net() once for each AVC cache
> flush.
>
> Reported-by: Jaejyn Shin <flagon22bass@gmail.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
> ---
> security/selinux/hooks.c | 14 ++++++++++++++
> security/selinux/include/netif.h | 2 ++
> security/selinux/include/netnode.h | 2 ++
> security/selinux/include/netport.h | 2 ++
> security/selinux/netif.c | 15 +--------------
> security/selinux/netnode.c | 15 +--------------
> security/selinux/netport.c | 15 +--------------
> 7 files changed, 23 insertions(+), 42 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 336f0a0..39bc8c9 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
> return (selinux_policycap_alwaysnetwork || netlbl_enabled() ||
> selinux_xfrm_enabled());
> }
>
> +static int selinux_netcache_avc_callback(u32 event)
> +{
> + if (event == AVC_CALLBACK_RESET) {
> + sel_netif_flush();
> + sel_netnode_flush();
> + sel_netport_flush();
> + synchronize_net();
> + }
> + return 0;
> +}
> +
> /*
> * initialise the security for the init task
> */
> @@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
> if (register_security(&selinux_ops))
> panic("SELinux: Unable to register with kernel.\n");
>
> + if (avc_add_callback(selinux_netcache_avc_callback,
> AVC_CALLBACK_RESET))
> + panic("SELinux: Unable to register AVC netcache
> callback\n");
> +
> if (selinux_enforcing)
> printk(KERN_DEBUG "SELinux: Starting in enforcing
> mode\n");
> else
> diff --git a/security/selinux/include/netif.h
> b/security/selinux/include/netif.h
> index 43d5072..57c6eae 100644
> --- a/security/selinux/include/netif.h
> +++ b/security/selinux/include/netif.h
> @@ -17,6 +17,8 @@
> #ifndef _SELINUX_NETIF_H_
> #define _SELINUX_NETIF_H_
>
> +void sel_netif_flush(void);
> +
> int sel_netif_sid(int ifindex, u32 *sid);
>
> #endif /* _SELINUX_NETIF_H_ */
> diff --git a/security/selinux/include/netnode.h
> b/security/selinux/include/netnode.h
> index df7a5ed..937668d 100644
> --- a/security/selinux/include/netnode.h
> +++ b/security/selinux/include/netnode.h
> @@ -27,6 +27,8 @@
> #ifndef _SELINUX_NETNODE_H
> #define _SELINUX_NETNODE_H
>
> +void sel_netnode_flush(void);
> +
> int sel_netnode_sid(void *addr, u16 family, u32 *sid);
>
> #endif
> diff --git a/security/selinux/include/netport.h
> b/security/selinux/include/netport.h
> index 4d965b8..d1ce896 100644
> --- a/security/selinux/include/netport.h
> +++ b/security/selinux/include/netport.h
> @@ -26,6 +26,8 @@
> #ifndef _SELINUX_NETPORT_H
> #define _SELINUX_NETPORT_H
>
> +void sel_netport_flush(void);
> +
> int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid);
>
> #endif
> diff --git a/security/selinux/netif.c b/security/selinux/netif.c
> index 694e9e4..3c3de4c 100644
> --- a/security/selinux/netif.c
> +++ b/security/selinux/netif.c
> @@ -240,7 +240,7 @@ static void sel_netif_kill(int ifindex)
> * Remove all entries from the network interface table.
> *
> */
> -static void sel_netif_flush(void)
> +void sel_netif_flush(void)
> {
> int idx;
> struct sel_netif *netif;
> @@ -252,15 +252,6 @@ static void sel_netif_flush(void)
> spin_unlock_bh(&sel_netif_lock);
> }
>
> -static int sel_netif_avc_callback(u32 event)
> -{
> - if (event == AVC_CALLBACK_RESET) {
> - sel_netif_flush();
> - synchronize_net();
> - }
> - return 0;
> -}
> -
> static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
> unsigned long event, void
> *ptr)
> {
> @@ -291,10 +282,6 @@ static __init int sel_netif_init(void)
>
> register_netdevice_notifier(&sel_netif_netdev_notifier);
>
> - err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
> - if (err)
> - panic("avc_add_callback() failed, error %d\n", err);
> -
> return err;
> }
>
> diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
> index 03a72c3..ddf3152 100644
> --- a/security/selinux/netnode.c
> +++ b/security/selinux/netnode.c
> @@ -283,7 +283,7 @@ int sel_netnode_sid(void *addr, u16 family, u32 *sid)
> * Remove all entries from the network address table.
> *
> */
> -static void sel_netnode_flush(void)
> +void sel_netnode_flush(void)
> {
> unsigned int idx;
> struct sel_netnode *node, *node_tmp;
> @@ -300,15 +300,6 @@ static void sel_netnode_flush(void)
> spin_unlock_bh(&sel_netnode_lock);
> }
>
> -static int sel_netnode_avc_callback(u32 event)
> -{
> - if (event == AVC_CALLBACK_RESET) {
> - sel_netnode_flush();
> - synchronize_net();
> - }
> - return 0;
> -}
> -
> static __init int sel_netnode_init(void)
> {
> int iter;
> @@ -322,10 +313,6 @@ static __init int sel_netnode_init(void)
> sel_netnode_hash[iter].size = 0;
> }
>
> - ret = avc_add_callback(sel_netnode_avc_callback,
> AVC_CALLBACK_RESET);
> - if (ret != 0)
> - panic("avc_add_callback() failed, error %d\n", ret);
> -
> return ret;
> }
>
> diff --git a/security/selinux/netport.c b/security/selinux/netport.c
> index d353797..73ac678 100644
> --- a/security/selinux/netport.c
> +++ b/security/selinux/netport.c
> @@ -217,7 +217,7 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
> * Remove all entries from the network address table.
> *
> */
> -static void sel_netport_flush(void)
> +void sel_netport_flush(void)
> {
> unsigned int idx;
> struct sel_netport *port, *port_tmp;
> @@ -234,15 +234,6 @@ static void sel_netport_flush(void)
> spin_unlock_bh(&sel_netport_lock);
> }
>
> -static int sel_netport_avc_callback(u32 event)
> -{
> - if (event == AVC_CALLBACK_RESET) {
> - sel_netport_flush();
> - synchronize_net();
> - }
> - return 0;
> -}
> -
> static __init int sel_netport_init(void)
> {
> int iter;
> @@ -256,10 +247,6 @@ static __init int sel_netport_init(void)
> sel_netport_hash[iter].size = 0;
> }
>
> - ret = avc_add_callback(sel_netport_avc_callback,
> AVC_CALLBACK_RESET);
> - if (ret != 0)
> - panic("avc_add_callback() failed, error %d\n", ret);
> -
> return ret;
> }
>
>
>
[-- Attachment #2: Type: text/html, Size: 8723 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH] selinux: reduce the number of calls to synchronize_net() when flushing caches
2014-07-03 1:57 ` Jaejyn Shin
@ 2014-07-07 19:37 ` Paul Moore
0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2014-07-07 19:37 UTC (permalink / raw
To: Jaejyn Shin; +Cc: selinux
On Thursday, July 03, 2014 10:57:23 AM Jaejyn Shin wrote:
> Thank you for your effort !!
>
> The booting time might not be a problem for other people, but it was a
> serious problem for me.
I haven't heard any comments so I'm going to go ahead and move this into
SELinux #next.
> 2014-06-28 5:41 GMT+09:00 Paul Moore <pmoore@redhat.com>:
> > When flushing the AVC, such as during a policy load, the various
> > network caches are also flushed, with each making a call to
> > synchronize_net() which has shown to be expensive in some cases.
> > This patch consolidates the network cache flushes into a single AVC
> > callback which only calls synchronize_net() once for each AVC cache
> > flush.
> >
> > Reported-by: Jaejyn Shin <flagon22bass@gmail.com>
> > Signed-off-by: Paul Moore <pmoore@redhat.com>
> > ---
> >
> > security/selinux/hooks.c | 14 ++++++++++++++
> > security/selinux/include/netif.h | 2 ++
> > security/selinux/include/netnode.h | 2 ++
> > security/selinux/include/netport.h | 2 ++
> > security/selinux/netif.c | 15 +--------------
> > security/selinux/netnode.c | 15 +--------------
> > security/selinux/netport.c | 15 +--------------
> > 7 files changed, 23 insertions(+), 42 deletions(-)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 336f0a0..39bc8c9 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
> >
> > return (selinux_policycap_alwaysnetwork || netlbl_enabled() ||
> >
> > selinux_xfrm_enabled());
> >
> > }
> >
> > +static int selinux_netcache_avc_callback(u32 event)
> > +{
> > + if (event == AVC_CALLBACK_RESET) {
> > + sel_netif_flush();
> > + sel_netnode_flush();
> > + sel_netport_flush();
> > + synchronize_net();
> > + }
> > + return 0;
> > +}
> > +
> >
> > /*
> >
> > * initialise the security for the init task
> > */
> >
> > @@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
> >
> > if (register_security(&selinux_ops))
> >
> > panic("SELinux: Unable to register with kernel.\n");
> >
> > + if (avc_add_callback(selinux_netcache_avc_callback,
> > AVC_CALLBACK_RESET))
> > + panic("SELinux: Unable to register AVC netcache
> > callback\n");
> > +
> >
> > if (selinux_enforcing)
> >
> > printk(KERN_DEBUG "SELinux: Starting in enforcing
> >
> > mode\n");
> >
> > else
> >
> > diff --git a/security/selinux/include/netif.h
> > b/security/selinux/include/netif.h
> > index 43d5072..57c6eae 100644
> > --- a/security/selinux/include/netif.h
> > +++ b/security/selinux/include/netif.h
> > @@ -17,6 +17,8 @@
> >
> > #ifndef _SELINUX_NETIF_H_
> > #define _SELINUX_NETIF_H_
> >
> > +void sel_netif_flush(void);
> > +
> >
> > int sel_netif_sid(int ifindex, u32 *sid);
> >
> > #endif /* _SELINUX_NETIF_H_ */
> >
> > diff --git a/security/selinux/include/netnode.h
> > b/security/selinux/include/netnode.h
> > index df7a5ed..937668d 100644
> > --- a/security/selinux/include/netnode.h
> > +++ b/security/selinux/include/netnode.h
> > @@ -27,6 +27,8 @@
> >
> > #ifndef _SELINUX_NETNODE_H
> > #define _SELINUX_NETNODE_H
> >
> > +void sel_netnode_flush(void);
> > +
> >
> > int sel_netnode_sid(void *addr, u16 family, u32 *sid);
> >
> > #endif
> >
> > diff --git a/security/selinux/include/netport.h
> > b/security/selinux/include/netport.h
> > index 4d965b8..d1ce896 100644
> > --- a/security/selinux/include/netport.h
> > +++ b/security/selinux/include/netport.h
> > @@ -26,6 +26,8 @@
> >
> > #ifndef _SELINUX_NETPORT_H
> > #define _SELINUX_NETPORT_H
> >
> > +void sel_netport_flush(void);
> > +
> >
> > int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid);
> >
> > #endif
> >
> > diff --git a/security/selinux/netif.c b/security/selinux/netif.c
> > index 694e9e4..3c3de4c 100644
> > --- a/security/selinux/netif.c
> > +++ b/security/selinux/netif.c
> > @@ -240,7 +240,7 @@ static void sel_netif_kill(int ifindex)
> >
> > * Remove all entries from the network interface table.
> > *
> > */
> >
> > -static void sel_netif_flush(void)
> > +void sel_netif_flush(void)
> >
> > {
> >
> > int idx;
> > struct sel_netif *netif;
> >
> > @@ -252,15 +252,6 @@ static void sel_netif_flush(void)
> >
> > spin_unlock_bh(&sel_netif_lock);
> >
> > }
> >
> > -static int sel_netif_avc_callback(u32 event)
> > -{
> > - if (event == AVC_CALLBACK_RESET) {
> > - sel_netif_flush();
> > - synchronize_net();
> > - }
> > - return 0;
> > -}
> > -
> >
> > static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
> >
> > unsigned long event, void
> >
> > *ptr)
> >
> > {
> >
> > @@ -291,10 +282,6 @@ static __init int sel_netif_init(void)
> >
> > register_netdevice_notifier(&sel_netif_netdev_notifier);
> >
> > - err = avc_add_callback(sel_netif_avc_callback,
> > AVC_CALLBACK_RESET);
> > - if (err)
> > - panic("avc_add_callback() failed, error %d\n", err);
> > -
> >
> > return err;
> >
> > }
> >
> > diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
> > index 03a72c3..ddf3152 100644
> > --- a/security/selinux/netnode.c
> > +++ b/security/selinux/netnode.c
> > @@ -283,7 +283,7 @@ int sel_netnode_sid(void *addr, u16 family, u32 *sid)
> >
> > * Remove all entries from the network address table.
> > *
> > */
> >
> > -static void sel_netnode_flush(void)
> > +void sel_netnode_flush(void)
> >
> > {
> >
> > unsigned int idx;
> > struct sel_netnode *node, *node_tmp;
> >
> > @@ -300,15 +300,6 @@ static void sel_netnode_flush(void)
> >
> > spin_unlock_bh(&sel_netnode_lock);
> >
> > }
> >
> > -static int sel_netnode_avc_callback(u32 event)
> > -{
> > - if (event == AVC_CALLBACK_RESET) {
> > - sel_netnode_flush();
> > - synchronize_net();
> > - }
> > - return 0;
> > -}
> > -
> >
> > static __init int sel_netnode_init(void)
> > {
> >
> > int iter;
> >
> > @@ -322,10 +313,6 @@ static __init int sel_netnode_init(void)
> >
> > sel_netnode_hash[iter].size = 0;
> >
> > }
> >
> > - ret = avc_add_callback(sel_netnode_avc_callback,
> > AVC_CALLBACK_RESET);
> > - if (ret != 0)
> > - panic("avc_add_callback() failed, error %d\n", ret);
> > -
> >
> > return ret;
> >
> > }
> >
> > diff --git a/security/selinux/netport.c b/security/selinux/netport.c
> > index d353797..73ac678 100644
> > --- a/security/selinux/netport.c
> > +++ b/security/selinux/netport.c
> > @@ -217,7 +217,7 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
> >
> > * Remove all entries from the network address table.
> > *
> > */
> >
> > -static void sel_netport_flush(void)
> > +void sel_netport_flush(void)
> >
> > {
> >
> > unsigned int idx;
> > struct sel_netport *port, *port_tmp;
> >
> > @@ -234,15 +234,6 @@ static void sel_netport_flush(void)
> >
> > spin_unlock_bh(&sel_netport_lock);
> >
> > }
> >
> > -static int sel_netport_avc_callback(u32 event)
> > -{
> > - if (event == AVC_CALLBACK_RESET) {
> > - sel_netport_flush();
> > - synchronize_net();
> > - }
> > - return 0;
> > -}
> > -
> >
> > static __init int sel_netport_init(void)
> > {
> >
> > int iter;
> >
> > @@ -256,10 +247,6 @@ static __init int sel_netport_init(void)
> >
> > sel_netport_hash[iter].size = 0;
> >
> > }
> >
> > - ret = avc_add_callback(sel_netport_avc_callback,
> > AVC_CALLBACK_RESET);
> > - if (ret != 0)
> > - panic("avc_add_callback() failed, error %d\n", ret);
> > -
> >
> > return ret;
> >
> > }
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-07 19:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-27 20:41 [RFC PATCH] selinux: reduce the number of calls to synchronize_net() when flushing caches Paul Moore
2014-07-03 1:57 ` Jaejyn Shin
2014-07-07 19:37 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.