SELinux: reset the security_ops before flushing the avc cache

This patch resets the security_ops to the secondary_ops before it flushes the avc. It's still possible that a task on another processor could have already passed the security_ops dereference and be executing an selinux hook function which would add a new avc entry. That entry would still not be freed. This should however help to reduce the number of needless avcs the kernel has when selinux is disabled at run time. There is no wasted memory if selinux is disabled on the command line or not compiled. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2009-09-20 21:23:01 -0400
committer: James Morris <jmorris@namei.org> 2009-09-30 19:17:06 +1000
commit: af8ff04917169805b151280155bf772d3ca9bec0 (patch)
tree: 1a1ec17d0926b4bbe9f8b243231582dde02ef1f5 /security
parent: 1669b049db50fc7f1d4e694fb115a0f408c63fce (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d708..a985d0bc59b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5830,12 +5830,12 @@ int selinux_disable(void)
 	selinux_disabled = 1;
 	selinux_enabled = 0;
 
-	/* Try to destroy the avc node cache */
-	avc_disable();
-
 	/* Reset security_ops to the secondary module, dummy or capability. */
 	security_ops = secondary_ops;
 
+	/* Try to destroy the avc node cache */
+	avc_disable();
+
 	/* Unregister netfilter hooks. */
 	selinux_nf_ip_exit();
author	Eric Paris <eparis@redhat.com>	2009-09-20 21:23:01 -0400
committer	James Morris <jmorris@namei.org>	2009-09-30 19:17:06 +1000
commit	af8ff04917169805b151280155bf772d3ca9bec0 (patch)
tree	1a1ec17d0926b4bbe9f8b243231582dde02ef1f5 /security
parent	1669b049db50fc7f1d4e694fb115a0f408c63fce (diff)