Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CHROMIUM: selinux: Do not log permissive denials
If an access triggers an denial, but it was allowed due to a global or per-domain permissive mode, (ie the message would have a "permissive=1" field), don't even bother going through the slow audit path to print the message. The permissive=1 messages spam the kernel logs making it much harder to see other useful messages. On elm, each slow_avc_audit() call consumes ~10-60 us. Signed-off-by: Daniel Kurtz <[email protected]> BUG=chromium:653575 TEST=Boot, inspect /var/log/messages, no more messages like: [ 1.372604] audit: type=1400 audit(1475767701.728:4): avc: denied { read } for pid=1 comm="init" name="ld-linux-armhf.so.3" dev="dm-0" ino=40094 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file permissive=1 [ 1.372640] audit: type=1400 audit(1475767701.728:5): avc: denied { execute } for pid=1 comm="init" name="ld-2.19.so" dev="dm-0" ino=40084 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 Change-Id: Ic5b0630299f6bcac53659771b6c0cfef9cc13e2e Reviewed-on: https://chromium-review.googlesource.com/413144 Commit-Ready: Daniel Kurtz <[email protected]> Tested-by: Daniel Kurtz <[email protected]> Reviewed-by: Luis Hector Chavez <[email protected]> Reviewed-by: Jorge Lucangeli Obes <[email protected]> (cherry picked from commit 1456e8755f19355e2d06430f6f378399b52571aa) Reviewed-on: https://chromium-review.googlesource.com/414285 Commit-Ready: Brian Norris <[email protected]> Tested-by: Brian Norris <[email protected]> [@nathanchance: removed CONFIG_SECURITY_SELINUX_DEVELOP option] Signed-off-by: Nathan Chancellor <[email protected]> Signed-off-by: celtare21 <[email protected]>
- Loading branch information
