From: Stephen Smalley This patch drops the ratelimit code from the SELinux avc, as this can now be handled by the audit framework. Enabling and setting the ratelimit is then left to userspace. --- 25-akpm/security/selinux/avc.c | 55 ----------------------------------------- 1 files changed, 55 deletions(-) diff -puN security/selinux/avc.c~selinux-remove-ratelimit security/selinux/avc.c --- 25/security/selinux/avc.c~selinux-remove-ratelimit 2004-04-05 18:45:35.468819488 -0700 +++ 25-akpm/security/selinux/avc.c 2004-04-05 18:45:35.473818728 -0700 @@ -436,58 +436,6 @@ static inline void avc_print_ipv4_addr(s audit_log_format(ab, " %s=%d", name2, ntohs(port)); } -/* - * Copied from net/core/utils.c:net_ratelimit and modified for - * use by the AVC audit facility. - */ -#define AVC_MSG_COST 5*HZ -#define AVC_MSG_BURST 10*5*HZ - -/* - * This enforces a rate limit: not more than one kernel message - * every 5secs to make a denial-of-service attack impossible. - */ -static int avc_ratelimit(void) -{ - static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED; - static unsigned long toks = 10*5*HZ; - static unsigned long last_msg; - static int missed, rc = 0; - unsigned long flags; - unsigned long now = jiffies; - - spin_lock_irqsave(&ratelimit_lock, flags); - toks += now - last_msg; - last_msg = now; - if (toks > AVC_MSG_BURST) - toks = AVC_MSG_BURST; - if (toks >= AVC_MSG_COST) { - int lost = missed; - missed = 0; - toks -= AVC_MSG_COST; - spin_unlock_irqrestore(&ratelimit_lock, flags); - if (lost) - printk(KERN_WARNING "AVC: %d messages suppressed.\n", - lost); - rc = 1; - goto out; - } - missed++; - spin_unlock_irqrestore(&ratelimit_lock, flags); -out: - return rc; -} - -static inline int check_avc_ratelimit(void) -{ - if (selinux_enforcing) - return avc_ratelimit(); - else { - /* If permissive, then never suppress messages. */ - return 1; - } -} - /** * avc_audit - Audit the granting or denial of permissions. * @ssid: source security identifier @@ -529,9 +477,6 @@ void avc_audit(u32 ssid, u32 tsid, return; } - if (!check_avc_ratelimit()) - return; - ab = audit_log_start(current->audit_context); if (!ab) return; /* audit_panic has been called */ _