libsepol,checkpolicy: introduce neveraudit types #473
+492
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stephensmalley
force-pushed
the
neveraudit
branch
2 times, most recently
from
1af032b to
dd1501d
Compare
Introduce neveraudit types i.e. types that should never trigger audit messages. This allows the AVC to skip all audit-related processing for such types. Note that neveraudit differs from dontaudit not only wrt being applied for all checks with a given source type but also in that it disables all auditing, not just permission denials. When a type is both a permissive type and a neveraudit type, the security server can short-circuit the security_compute_av() logic, rendering the type equivalent to an unconfined type. Signed-off-by: Stephen Smalley <[email protected]>
stephensmalley
force-pushed
the
neveraudit
branch
from
dd1501d to
499950d
Compare
stephensmalley
added a commit
to stephensmalley/selinux-kernel
that referenced
this pull request
May 2, 2025
…dit|permissive Extend the task avdcache to also cache whether the task SID is both permissive and neveraudit, and return immediately if so in both selinux_inode_getattr() and selinux_inode_permission(). The same approach could be applied to many of the hook functions although the avdcache would need to be updated for more than directory search checks in order for this optimization to be beneficial for checks on objects other than directories. To test, apply SELinuxProject/selinux#473 to your selinux userspace, build and install libsepol and secilc, and use the following CIL policy module: $ cat neverauditpermissive.cil (typeneveraudit unconfined_t) (typepermissive unconfined_t) Before inserting this CIL module, perf record make -j16 of an already built allmodconfig kernel tree yields the following: 1.65% [k] __d_lookup_rcu 0.53% [k] selinux_inode_permission 0.40% [k] selinux_inode_getattr 0.20% [k] security_inode_getattr 0.15% [k] avc_lookup 0.10% [k] security_inode_permission 0.05% [k] avc_has_perm 0.02% [k] avc_policy_seqno After inserting this CIL module via semodule -i neverauditpermissive.cil, the same perf command yields the following: 1.74% [k] __d_lookup_rcu 0.31% [k] selinux_inode_permission 0.23% [k] security_inode_getattr 0.07% [k] security_inode_permission 0.03% [k] avc_policy_seqno 0.03% [k] selinux_inode_getattr 0.01% [k] avc_lookup 0.00% [k] avc_has_perm Note that the symbols are listed from highest overhead to lowest in both cases, not in the same order. Signed-off-by: Stephen Smalley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce neveraudit types i.e. types that should never trigger audit messages. This allows the AVC to skip all audit-related processing for such types. Note that neveraudit differs from dontaudit not only wrt being applied for all checks with a given source type but also in that it disables all auditing, not just permission denials.
When a type is both a permissive type and a neveraudit type, the security server can short-circuit the security_compute_av() logic, rendering the type equivalent to an unconfined type.
Test and doc updates still TBD.