From bdcca70fa4cef0032c519770fdea1f6a28d3e233 Mon Sep 17 00:00:00 2001 From: Daniel Kurtz Date: Fri, 25 May 2018 19:40:41 +0300 Subject: [PATCH] CHROMIUM: selinux: Do not log permissive denials If an access triggers an denial, but it was allowed due to a global or per-domain permissive mode, (ie the message would have a "permissive=1" field), don't even bother going through the slow audit path to print the message. The permissive=1 messages spam the kernel logs making it much harder to see other useful messages. On elm, each slow_avc_audit() call consumes ~10-60 us. Signed-off-by: Daniel Kurtz BUG=chromium:653575 TEST=Boot, inspect /var/log/messages, no more messages like: [ 1.372604] audit: type=1400 audit(1475767701.728:4): avc: denied { read } for pid=1 comm="init" name="ld-linux-armhf.so.3" dev="dm-0" ino=40094 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file permissive=1 [ 1.372640] audit: type=1400 audit(1475767701.728:5): avc: denied { execute } for pid=1 comm="init" name="ld-2.19.so" dev="dm-0" ino=40084 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 Change-Id: Ic5b0630299f6bcac53659771b6c0cfef9cc13e2e Reviewed-on: https://chromium-review.googlesource.com/413144 Commit-Ready: Daniel Kurtz Tested-by: Daniel Kurtz Reviewed-by: Luis Hector Chavez Reviewed-by: Jorge Lucangeli Obes (cherry picked from commit 1456e8755f19355e2d06430f6f378399b52571aa) Reviewed-on: https://chromium-review.googlesource.com/414285 Commit-Ready: Brian Norris Tested-by: Brian Norris [@nathanchance: removed CONFIG_SECURITY_SELINUX_DEVELOP option] Signed-off-by: Nathan Chancellor Signed-off-by: celtare21 --- security/selinux/avc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e1efe744c6a5..857b9bf916cf 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -779,6 +779,10 @@ noinline int slow_avc_audit(struct selinux_state *state, if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) return -EINVAL; + /* Only log permissive=1 messages for SECURITY_SELINUX_DEVELOP */ + if (denied && !result) + return 0; + if (!a) { a = &stack_data; a->type = LSM_AUDIT_DATA_NONE;