SELinux: do not allocate stack space for AVC data unless needed

[~andy/linux] / security / selinux / include / avc.h

diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 005a91bcb200d0d12ac6c7727f516743ae330439..1931370233d7b2123dad2947c930c0ecb9722ac5 100644 (file)
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -46,6 +46,31 @@ struct avc_cache_stats {
        unsigned int frees;
 };
 
+/*
+ * We only need this data after we have decided to send an audit message.
+ */
+struct selinux_late_audit_data {
+       u32 ssid;
+       u32 tsid;
+       u16 tclass;
+       u32 requested;
+       u32 audited;
+       u32 denied;
+       int result;
+};
+
+/*
+ * We collect this at the beginning or during an selinux security operation
+ */
+struct selinux_audit_data {
+       /*
+        * auditdeny is a bit tricky and unintuitive.  See the
+        * comments in avc.c for it's meaning and usage.
+        */
+       u32 auditdeny;
+       struct selinux_late_audit_data *slad;
+};
+
 /*
  * AVC operations
  */