From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch drops the ratelimit code from the SELinux avc, as this can now
be handled by the audit framework.  Enabling and setting the ratelimit is
then left to userspace.


---

 25-akpm/security/selinux/avc.c |   55 -----------------------------------------
 1 files changed, 55 deletions(-)

diff -puN security/selinux/avc.c~selinux-remove-ratelimit security/selinux/avc.c
--- 25/security/selinux/avc.c~selinux-remove-ratelimit	2004-04-04 17:14:01.079890056 -0700
+++ 25-akpm/security/selinux/avc.c	2004-04-04 17:14:01.084889296 -0700
@@ -435,58 +435,6 @@ static inline void avc_print_ipv4_addr(s
 		audit_log_format(ab, " %s=%d", name2, ntohs(port));
 }
 
-/*
- * Copied from net/core/utils.c:net_ratelimit and modified for
- * use by the AVC audit facility.
- */
-#define AVC_MSG_COST	5*HZ
-#define AVC_MSG_BURST	10*5*HZ
-
-/*
- * This enforces a rate limit: not more than one kernel message
- * every 5secs to make a denial-of-service attack impossible.
- */
-static int avc_ratelimit(void)
-{
-	static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED;
-	static unsigned long toks = 10*5*HZ;
-	static unsigned long last_msg;
-	static int missed, rc = 0;
-	unsigned long flags;
-	unsigned long now = jiffies;
-
-	spin_lock_irqsave(&ratelimit_lock, flags);
-	toks += now - last_msg;
-	last_msg = now;
-	if (toks > AVC_MSG_BURST)
-		toks = AVC_MSG_BURST;
-	if (toks >= AVC_MSG_COST) {
-		int lost = missed;
-		missed = 0;
-		toks -= AVC_MSG_COST;
-		spin_unlock_irqrestore(&ratelimit_lock, flags);
-		if (lost)
-			printk(KERN_WARNING "AVC: %d messages suppressed.\n",
-			       lost);
-		rc = 1;
-		goto out;
-	}
-	missed++;
-	spin_unlock_irqrestore(&ratelimit_lock, flags);
-out:
-	return rc;
-}
-
-static inline int check_avc_ratelimit(void)
-{
-	if (selinux_enforcing)
-		return avc_ratelimit();
-	else {
-		/* If permissive, then never suppress messages. */
-		return 1;
-	}
-}
-
 /**
  * avc_audit - Audit the granting or denial of permissions.
  * @ssid: source security identifier
@@ -528,9 +476,6 @@ void avc_audit(u32 ssid, u32 tsid,
 			return;
 	}
 
-	if (!check_avc_ratelimit())
-		return;
-
 	ab = audit_log_start(current->audit_context);
 	if (!ab)
 		return;		/* audit_panic has been called */

_