selinux: don't require auditing

Audit is bad. It affects performance under all circumstances. It's also dirty. From LWN: "Andy submitted a patch to fix this particular problem, but he didn't stop there. He has come to the conclusion that the audit subsystem is beyond repair, so his patch marks the whole thing as being broken, making it generally inaccessible. He cited a number of problems beyond this security issue: it hurts performance even when it is not being used, it is not (in his mind) reliable, it has problems with various architectures, and "its approach to freeing memory is terrifying." All told, Andy said, we're better off without it"
2020-08-26 14:04:20 +05:30 · 2020-08-26 14:04:20 +05:30 · 1d45edeb90
commit 1d45edeb90
parent e2ddad7746
6 changed files with 18 additions and 8 deletions
--- a/arch/arm64/configs/exynos7885-a7y18lte_defconfig
+++ b/arch/arm64/configs/exynos7885-a7y18lte_defconfig
@ -52,11 +52,8 @@ CONFIG_SWAP=y
 CONFIG_CROSS_MEMORY_ATTACH=y
 # CONFIG_FHANDLE is not set
 # CONFIG_USELIB is not set
-CONFIG_AUDIT=y
+# CONFIG_AUDIT is not set
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y

 #
 # IRQ subsystem
@ -5067,7 +5064,6 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 # CONFIG_TZ_ICCC is not set
@ -5279,9 +5275,7 @@ CONFIG_CRC32_SLICEBY8=y
 # CONFIG_CRC7 is not set
 CONFIG_LIBCRC32C=y
 # CONFIG_CRC8 is not set
-CONFIG_AUDIT_GENERIC=y
 CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y
-CONFIG_AUDIT_COMPAT_GENERIC=y
 # CONFIG_RANDOM32_SELFTEST is not set
 CONFIG_ZLIB_INFLATE=y
 CONFIG_ZLIB_DEFLATE=y
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@ -1,6 +1,6 @@
 config SECURITY_SELINUX
 	bool "NSA SELinux Support"
-	depends on SECURITY_NETWORK && AUDIT && NET && INET
+	depends on SECURITY_NETWORK && NET && INET
 	select NETWORK_SECMARK
 	default n
 	help
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@ -107,6 +107,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
 	return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
 }

+#ifdef CONFIG_AUDIT
 /**
 * avc_dump_av - Display an access vector in human-readable form.
 * @tclass: target security class
@ -173,6 +174,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
 	BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
 	audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
 }
+#endif

 /**
 * avc_init - Initialize the AVC.
@ -475,6 +477,7 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
 				u8 perm, int result,
 				struct common_audit_data *ad)
 {
+#ifdef CONFIG_AUDIT
 	u32 audited, denied;

 	audited = avc_xperms_audit_required(
@ -483,6 +486,9 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
 		return 0;
 	return slow_avc_audit(ssid, tsid, tclass, requested,
 			audited, denied, result, ad, 0);
+#else
+	return 0;
+#endif
 }

 static void avc_node_free(struct rcu_head *rhead)
@ -709,6 +715,7 @@ out:
 	return node;
 }

+#ifdef CONFIG_AUDIT
 /**
 * avc_audit_pre_callback - SELinux specific information
 * will be called by generic audit code
@ -782,6 +789,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
 	common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
 	return 0;
 }
+#endif

 /**
 * avc_add_callback - Register a callback for security events.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -3035,6 +3035,7 @@ static noinline int audit_inode_permission(struct inode *inode,
 					   int result,
 					   unsigned flags)
 {
+#ifdef CONFIG_AUDIT
 	struct common_audit_data ad;
 	struct inode_security_struct *isec = inode->i_security;
 	int rc;
@ -3046,6 +3047,7 @@ static noinline int audit_inode_permission(struct inode *inode,
 			    audited, denied, result, &ad, flags);
 	if (rc)
 		return rc;
+#endif
 	return 0;
 }

--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@ -133,6 +133,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
 			    struct common_audit_data *a,
 			    int flags)
 {
+#ifdef CONFIG_AUDIT
 	u32 audited, denied;
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
 	if (likely(!audited))
@ -140,6 +141,9 @@ static inline int avc_audit(u32 ssid, u32 tsid,
 	return slow_avc_audit(ssid, tsid, tclass,
 			      requested, audited, denied, result,
 			      a, flags);
+#else
+	return 0;
+#endif
 }

 #define AVC_STRICT 1 /* Ignore permissive mode. */
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@ -3275,6 +3275,7 @@ out:
 	return match;
 }

+#ifdef CONFIG_AUDIT
 static int (*aurule_callback)(void) = audit_update_lsm_rules;

 static int aurule_avc_callback(u32 event)
@ -3297,6 +3298,7 @@ static int __init aurule_init(void)
 	return err;
 }
 __initcall(aurule_init);
+#endif

 #ifdef CONFIG_NETLABEL
 /**