From 1d45edeb9085f3fda3678ab78cc326afcf3a47b9 Mon Sep 17 00:00:00 2001 From: kdrag0n Date: Wed, 26 Aug 2020 14:04:20 +0530 Subject: [PATCH] selinux: don't require auditing Audit is bad. It affects performance under all circumstances. It's also dirty. From LWN: "Andy submitted a patch to fix this particular problem, but he didn't stop there. He has come to the conclusion that the audit subsystem is beyond repair, so his patch marks the whole thing as being broken, making it generally inaccessible. He cited a number of problems beyond this security issue: it hurts performance even when it is not being used, it is not (in his mind) reliable, it has problems with various architectures, and "its approach to freeing memory is terrifying." All told, Andy said, we're better off without it" --- arch/arm64/configs/exynos7885-a7y18lte_defconfig | 8 +------- security/selinux/Kconfig | 2 +- security/selinux/avc.c | 8 ++++++++ security/selinux/hooks.c | 2 ++ security/selinux/include/avc.h | 4 ++++ security/selinux/ss/services.c | 2 ++ 6 files changed, 18 insertions(+), 8 deletions(-) diff --git a/arch/arm64/configs/exynos7885-a7y18lte_defconfig b/arch/arm64/configs/exynos7885-a7y18lte_defconfig index ca2aae651..34bd52d4e 100644 --- a/arch/arm64/configs/exynos7885-a7y18lte_defconfig +++ b/arch/arm64/configs/exynos7885-a7y18lte_defconfig @@ -52,11 +52,8 @@ CONFIG_SWAP=y CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_FHANDLE is not set # CONFIG_USELIB is not set -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -5067,7 +5064,6 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set # CONFIG_TZ_ICCC is not set @@ -5279,9 +5275,7 @@ CONFIG_CRC32_SLICEBY8=y # CONFIG_CRC7 is not set CONFIG_LIBCRC32C=y # CONFIG_CRC8 is not set -CONFIG_AUDIT_GENERIC=y CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y -CONFIG_AUDIT_COMPAT_GENERIC=y # CONFIG_RANDOM32_SELFTEST is not set CONFIG_ZLIB_INFLATE=y CONFIG_ZLIB_DEFLATE=y diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8691e92f2..ddd09c9cb 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -1,6 +1,6 @@ config SECURITY_SELINUX bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET + depends on SECURITY_NETWORK && NET && INET select NETWORK_SECMARK default n help diff --git a/security/selinux/avc.c b/security/selinux/avc.c index ff70bc1b5..4fad640e8 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -107,6 +107,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); } +#ifdef CONFIG_AUDIT /** * avc_dump_av - Display an access vector in human-readable form. * @tclass: target security class @@ -173,6 +174,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); } +#endif /** * avc_init - Initialize the AVC. @@ -475,6 +477,7 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, u8 perm, int result, struct common_audit_data *ad) { +#ifdef CONFIG_AUDIT u32 audited, denied; audited = avc_xperms_audit_required( @@ -483,6 +486,9 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, return 0; return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, result, ad, 0); +#else + return 0; +#endif } static void avc_node_free(struct rcu_head *rhead) @@ -709,6 +715,7 @@ out: return node; } +#ifdef CONFIG_AUDIT /** * avc_audit_pre_callback - SELinux specific information * will be called by generic audit code @@ -782,6 +789,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); return 0; } +#endif /** * avc_add_callback - Register a callback for security events. diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fcae49254..9958ff3ea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3035,6 +3035,7 @@ static noinline int audit_inode_permission(struct inode *inode, int result, unsigned flags) { +#ifdef CONFIG_AUDIT struct common_audit_data ad; struct inode_security_struct *isec = inode->i_security; int rc; @@ -3046,6 +3047,7 @@ static noinline int audit_inode_permission(struct inode *inode, audited, denied, result, &ad, flags); if (rc) return rc; +#endif return 0; } diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 0999df03a..9da59efd4 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -133,6 +133,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, struct common_audit_data *a, int flags) { +#ifdef CONFIG_AUDIT u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, &denied); if (likely(!audited)) @@ -140,6 +141,9 @@ static inline int avc_audit(u32 ssid, u32 tsid, return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, result, a, flags); +#else + return 0; +#endif } #define AVC_STRICT 1 /* Ignore permissive mode. */ diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 51c7af299..91bad8c54 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3275,6 +3275,7 @@ out: return match; } +#ifdef CONFIG_AUDIT static int (*aurule_callback)(void) = audit_update_lsm_rules; static int aurule_avc_callback(u32 event) @@ -3297,6 +3298,7 @@ static int __init aurule_init(void) return err; } __initcall(aurule_init); +#endif #ifdef CONFIG_NETLABEL /**