selinux: slow_avc_audit has become non-blocking

	}

}

/* This is the slow part of avc audit with big stack footprint */

/*

 * This is the slow part of avc audit with big stack footprint.

 * Note that it is non-blocking and can be called from under

 * rcu_read_lock().

 */

noinline int slow_avc_audit(struct selinux_state *state,

			    u32 ssid, u32 tsid, u16 tclass,

			    u32 requested, u32 audited, u32 denied, int result,

 * @ssid,@tsid,@tclass : identifier of an AVC entry

 * @seqno : sequence number when decision was made

 * @xpd: extended_perms_decision to be added to the node

 * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.

 * @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0.

 *

 * if a valid AVC entry doesn't exist,this function returns -ENOENT.

 * if kmalloc() called internal returns NULL, this function returns -ENOMEM.

	struct hlist_head *head;

	spinlock_t *lock;

	/*

	 * If we are in a non-blocking code path, e.g. VFS RCU walk,

	 * then we must not add permissions to a cache entry

	 * because we will not audit the denial.  Otherwise,

	 * during the subsequent blocking retry (e.g. VFS ref walk), we

	 * will find the permissions already granted in the cache entry

	 * and won't audit anything at all, leading to silent denials in

	 * permissive mode that only appear when in enforcing mode.

	 *

	 * See the corresponding handling of MAY_NOT_BLOCK in avc_audit()

	 * and selinux_inode_permission().

	 */

	if (flags & AVC_NONBLOCKING)

		return 0;

	node = avc_alloc_node(avc);

	if (!node) {

		rc = -ENOMEM;

 * @tsid: target security identifier

 * @tclass: target security class

 * @requested: requested permissions, interpreted based on @tclass

 * @flags:  AVC_STRICT, AVC_NONBLOCKING, or 0

 * @flags:  AVC_STRICT or 0

 * @avd: access vector decisions

 *

 * Check the AVC to determine whether the @requested permissions are granted

	struct av_decision avd;

	int rc, rc2;

	rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested,

				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,

	rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,

				  &avd);

	rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,

{

	struct common_audit_data ad;

	struct inode_security_struct *isec = selinux_inode(inode);

	int rc;

	ad.type = LSM_AUDIT_DATA_INODE;

	ad.u.inode = inode;

	rc = slow_avc_audit(&selinux_state,

	return slow_avc_audit(&selinux_state,

			    current_sid(), isec->sid, isec->sclass, perms,

			    audited, denied, result, &ad);

	if (rc)

		return rc;

	return 0;

}

static int selinux_inode_permission(struct inode *inode, int mask)

		return PTR_ERR(isec);

	rc = avc_has_perm_noaudit(&selinux_state,

				  sid, isec->sid, isec->sclass, perms,

				  no_block ? AVC_NONBLOCKING : 0,

				  sid, isec->sid, isec->sclass, perms, 0,

				  &avd);

	audited = avc_audit_required(perms, &avd, rc,

				     from_access ? FILE__AUDIT_ACCESS : 0,

	if (likely(!audited))

		return rc;

	/* fall back to ref-walk if we have to generate audit */

	if (no_block)

		return -ECHILD;

	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);

	if (rc2)

		return rc2;

	audited = avc_audit_required(requested, avd, result, 0, &denied);

	if (likely(!audited))

		return 0;

	/* fall back to ref-walk if we have to generate audit */

	if (flags & MAY_NOT_BLOCK)

		return -ECHILD;

	return slow_avc_audit(state, ssid, tsid, tclass,

			      requested, audited, denied, result,

			      a);

#define AVC_STRICT 1 /* Ignore permissive mode. */

#define AVC_EXTENDED_PERMS 2	/* update extended permissions */

#define AVC_NONBLOCKING    4	/* non blocking */

int avc_has_perm_noaudit(struct selinux_state *state,

			 u32 ssid, u32 tsid,

			 u16 tclass, u32 requested,