---

yaml
---
r: 250798
b: refs/heads/master
c: 03a4c01
h: refs/heads/master
v: v3

[refs]

@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 2667991f60e67d28c495b8967aaabf84b4ccd560
+refs/heads/master: 03a4c0182a156547edd5f2717c1702590fe36bbf

trunk/security/selinux/ss/policydb.c

@@ -240,6 +240,7 @@ static int policydb_init(struct policydb *p)
 	if (!p->range_tr)
 		goto out;
 
+	ebitmap_init(&p->filename_trans_ttypes);
 	ebitmap_init(&p->policycaps);
 	ebitmap_init(&p->permissive_map);
 
@@ -801,6 +802,7 @@ void policydb_destroy(struct policydb *p)
 		ft = nft;
 	}
 
+	ebitmap_destroy(&p->filename_trans_ttypes);
 	ebitmap_destroy(&p->policycaps);
 	ebitmap_destroy(&p->permissive_map);
 
@@ -1868,6 +1870,10 @@ static int filename_trans_read(struct policydb *p, void *fp)
 		ft->ttype = le32_to_cpu(buf[1]);
 		ft->tclass = le32_to_cpu(buf[2]);
 		ft->otype = le32_to_cpu(buf[3]);
+
+		rc = ebitmap_set_bit(&p->filename_trans_ttypes, ft->ttype, 1);
+		if (rc)
+			goto out;
 	}
 	rc = 0;
 out:

trunk/security/selinux/ss/policydb.h

@@ -227,6 +227,8 @@ struct policydb {
 	/* role transitions */
 	struct role_trans *role_tr;
 
+	/* quickly exclude lookups when parent ttype has no rules */
+	struct ebitmap filename_trans_ttypes;
 	/* file transitions with the last path component */
 	struct filename_trans *filename_trans;
 

trunk/security/selinux/ss/services.c

@@ -1363,6 +1363,15 @@ static void filename_compute_type(struct policydb *p, struct context *newcontext
 				  const char *objname)
 {
 	struct filename_trans *ft;
+
+	/*
+	 * Most filename trans rules are going to live in specific directories
+	 * like /dev or /var/run.  This bitmap will quickly skip rule searches
+	 * if the ttype does not contain any rules.
+	 */
+	if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
+		return;
+
 	for (ft = p->filename_trans; ft; ft = ft->next) {
 		if (ft->stype == stype &&
 		    ft->ttype == ttype &&