diff options
| author |   Stephen Smalley <stephen.smalley.work@gmail.com> | 2025-05-21 10:41:25 -0400 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2025-06-19 17:23:05 -0400 |
| commit | 951b2de06a0bd64930949c7d3bd5a113cdf24189 (patch) | |
| tree | 0e3d24d3df38c1ff352a9f53e8edfc2a00796b85 | |
| parent | selinux: introduce neveraudit types (diff) | |
| download | wireguard-linux-951b2de06a0bd64930949c7d3bd5a113cdf24189.tar.xz wireguard-linux-951b2de06a0bd64930949c7d3bd5a113cdf24189.zip | |
selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive
Extend the task avdcache to also cache whether the task SID is both
permissive and neveraudit, and return immediately if so in both
selinux_inode_getattr() and selinux_inode_permission().
The same approach could be applied to many of the hook functions
although the avdcache would need to be updated for more than directory
search checks in order for this optimization to be beneficial for checks
on objects other than directories.
To test, apply https://github.com/SELinuxProject/selinux/pull/473 to
your selinux userspace, build and install libsepol, and use the following
CIL policy module:
$ cat neverauditpermissive.cil
(typeneveraudit unconfined_t)
(typepermissive unconfined_t)
Without this module inserted, running the following commands:
perf record make -jN # on an already built allmodconfig tree
perf report --sort=symbol,dso
yields the following percentages (only showing __d_lookup_rcu for
reference and only showing relevant SELinux functions):
1.65% [k] __d_lookup_rcu
0.53% [k] selinux_inode_permission
0.40% [k] selinux_inode_getattr
0.15% [k] avc_lookup
0.05% [k] avc_has_perm
0.05% [k] avc_has_perm_noaudit
0.02% [k] avc_policy_seqno
0.02% [k] selinux_file_permission
0.01% [k] selinux_inode_alloc_security
0.01% [k] selinux_file_alloc_security
for a total of 1.24% for SELinux compared to 1.65% for
__d_lookup_rcu().
After running the following command to insert this module:
semodule -i neverauditpermissive.cil
and then re-running the same perf commands from above yields
the following non-zero percentages:
1.74% [k] __d_lookup_rcu
0.31% [k] selinux_inode_permission
0.03% [k] selinux_inode_getattr
0.03% [k] avc_policy_seqno
0.01% [k] avc_lookup
0.01% [k] selinux_file_permission
0.01% [k] selinux_file_open
for a total of 0.40% for SELinux compared to 1.74% for
__d_lookup_rcu().
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | security/selinux/hooks.c | 14 | ||||
| -rw-r--r-- | security/selinux/include/objsec.h | 8 |
2 files changed, 21 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 595ceb314aeb..335fbf76cdd2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3181,6 +3181,8 @@ static inline void task_avdcache_update(struct task_security_struct *tsec, tsec->avdcache.dir[spot].audited = audited; tsec->avdcache.dir[spot].allowed = avd->allowed; tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; + tsec->avdcache.permissive_neveraudit = + (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); } /** @@ -3207,10 +3209,13 @@ static int selinux_inode_permission(struct inode *inode, int requested) if (!mask) return 0; + tsec = selinux_cred(current_cred()); + if (task_avdcache_permnoaudit(tsec)) + return 0; + isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); if (IS_ERR(isec)) return PTR_ERR(isec); - tsec = selinux_cred(current_cred()); perms = file_mask_to_av(inode->i_mode, mask); rc = task_avdcache_search(tsec, isec, &avdc); @@ -3274,6 +3279,13 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, static int selinux_inode_getattr(const struct path *path) { + struct task_security_struct *tsec; + + tsec = selinux_cred(current_cred()); + + if (task_avdcache_permnoaudit(tsec)) + return 0; + return path_has_perm(current_cred(), path, FILE__GETATTR); } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 6ee7dc4dfd6e..1d7ac59015a1 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -49,9 +49,17 @@ struct task_security_struct { u32 seqno; /* AVC sequence number */ unsigned int dir_spot; /* dir cache index to check first */ struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */ + bool permissive_neveraudit; /* permissive and neveraudit */ } avdcache; } __randomize_layout; +static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec) +{ + return (tsec->avdcache.permissive_neveraudit && + tsec->sid == tsec->avdcache.sid && + tsec->avdcache.seqno == avc_policy_seqno()); +} + enum label_initialized { LABEL_INVALID, /* invalid or not initialized */ LABEL_INITIALIZED, /* initialized */ |