selinux: reduce calls to context_struct_to_string()

context_struct_to_string() contains expensive kmalloc() calls. In most cases, there's no purpose in calling context_struct_to_string() on !CONFIG_AUDIT as logs won't be saved anyways. Signed-off-by: Park Ju Hyung <[email protected]> Signed-off-by: Samuel Pascua <[email protected]>
ananjaser1211 · Mar 21, 2021 · 1e9240f · 1e9240f
1 parent 2f078b7
commit 1e9240f
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
@@ -443,6 +443,7 @@ static int constraint_expr_eval(struct context *scontext,
 	return s[0];
 }
 
+#ifdef CONFIG_AUDIT
 /*
  * security_dump_masked_av - dumps masked permissions during
  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
@@ -532,6 +533,7 @@ static void security_dump_masked_av(struct context *scontext,
 
 	return;
 }
+#endif
 
 /*
  * security_boundary_permission - drops violated permissions
@@ -610,9 +612,11 @@ static void type_attribute_bounds_av(struct context *scontext,
 		/* mask violated permissions */
 		avd->allowed &= ~masked;
 
+#ifdef CONFIG_AUDIT
 		/* audit masked permissions */
 		security_dump_masked_av(scontext, tcontext,
 					tclass, masked, "bounds");
+#endif
 	}
 }
 
@@ -750,11 +754,12 @@ static void context_struct_compute_av(struct context *scontext,
 				 tclass, avd);
 }
 
-static int security_validtrans_handle_fail(struct context *ocontext,
+static inline int security_validtrans_handle_fail(struct context *ocontext,
 					   struct context *ncontext,
 					   struct context *tcontext,
 					   u16 tclass)
 {
+#ifdef CONFIG_AUDIT
 	char *o = NULL, *n = NULL, *t = NULL;
 	u32 olen, nlen, tlen;
 
@@ -772,6 +777,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
 	kfree(o);
 	kfree(n);
 	kfree(t);
+#endif
 
 // [ SEC_SELINUX_PORTING_COMMON
 #ifdef CONFIG_ALWAYS_ENFORCE
@@ -912,6 +918,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
 		index = type->bounds;
 	}
 
+#ifdef CONFIG_AUDIT
 	if (rc) {
 		char *old_name = NULL;
 		char *new_name = NULL;
@@ -931,6 +938,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
 		kfree(new_name);
 		kfree(old_name);
 	}
+#endif
 out:
 	read_unlock(&policy_rwlock);
 
@@ -1516,12 +1524,13 @@ int security_context_to_sid_force(const char *scontext, u32 scontext_len,
 					    sid, SECSID_NULL, GFP_KERNEL, 1);
 }
 
-static int compute_sid_handle_invalid_context(
+static inline int compute_sid_handle_invalid_context(
 	struct context *scontext,
 	struct context *tcontext,
 	u16 tclass,
 	struct context *newcontext)
 {
+#ifdef CONFIG_AUDIT
 	char *s = NULL, *t = NULL, *n = NULL;
 	u32 slen, tlen, nlen;
 
@@ -1541,6 +1550,7 @@ static int compute_sid_handle_invalid_context(
 	kfree(s);
 	kfree(t);
 	kfree(n);
+#endif
 
 // [ SEC_SELINUX_PORTING_COMMON
 #ifdef CONFIG_ALWAYS_ENFORCE
@@ -1837,8 +1847,10 @@ static int clone_sid(u32 sid,
 
 static inline int convert_context_handle_invalid_context(struct context *context)
 {
+#ifdef CONFIG_AUDIT
 	char *s;
 	u32 len;
+#endif
 
 // [ SEC_SELINUX_PORTING_COMMON
 #ifdef CONFIG_ALWAYS_ENFORCE
@@ -1848,10 +1860,12 @@ static inline int convert_context_handle_invalid_context(struct context *context
 	if (selinux_enforcing)
 		return -EINVAL;
 
+#ifdef CONFIG_AUDIT
 	if (!context_struct_to_string(context, &s, &len)) {
 		printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
 		kfree(s);
 	}
+#endif
 	return 0;
 }
 
@@ -1879,7 +1893,9 @@ static int convert_context(u32 key,
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
 	char *s;
+#ifdef CONFIG_AUDIT
 	u32 len;
+#endif
 	int rc = 0;
 
 	if (key <= SECINITSID_NUM)
@@ -1993,6 +2009,7 @@ static int convert_context(u32 key,
 out:
 	return rc;
 bad:
+#ifdef CONFIG_AUDIT
 	/* Map old representation to string and save it. */
 	rc = context_struct_to_string(&oldc, &s, &len);
 	if (rc)
@@ -2005,6 +2022,9 @@ static int convert_context(u32 key,
 	       c->str);
 	rc = 0;
 	goto out;
+#else
+    return 0;
+#endif
 }
 
 static void security_load_policycaps(void)
@@ -2761,8 +2781,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
 	struct context *context1;
 	struct context *context2;
 	struct context newcon;
+#ifdef CONFIG_AUDIT
 	char *s;
 	u32 len;
+#endif
 	int rc;
 
 	rc = 0;
@@ -2802,13 +2824,15 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
 	if (!policydb_context_isvalid(&policydb, &newcon)) {
 		rc = convert_context_handle_invalid_context(&newcon);
 		if (rc) {
+#ifdef CONFIG_AUDIT
 			if (!context_struct_to_string(&newcon, &s, &len)) {
 				audit_log(current->audit_context,
 					  GFP_ATOMIC, AUDIT_SELINUX_ERR,
 					  "op=security_sid_mls_copy "
 					  "invalid_context=%s", s);
 				kfree(s);
 			}
+#endif
 			goto out_unlock;
 		}
 	}