selinux: don't require auditing
Audit is bad. It affects performance under all circumstances. It's also dirty. From LWN: "Andy submitted a patch to fix this particular problem, but he didn't stop there. He has come to the conclusion that the audit subsystem is beyond repair, so his patch marks the whole thing as being broken, making it generally inaccessible. He cited a number of problems beyond this security issue: it hurts performance even when it is not being used, it is not (in his mind) reliable, it has problems with various architectures, and "its approach to freeing memory is terrifying." All told, Andy said, we're better off without it"
This commit is contained in:
kdrag0n
prashantpaddune
parent
e2ddad7746
commit
1d45edeb90
|
|
@ -52,11 +52,8 @@ CONFIG_SWAP=y
|
||||||
CONFIG_CROSS_MEMORY_ATTACH=y
|
CONFIG_CROSS_MEMORY_ATTACH=y
|
||||||
# CONFIG_FHANDLE is not set
|
# CONFIG_FHANDLE is not set
|
||||||
# CONFIG_USELIB is not set
|
# CONFIG_USELIB is not set
|
||||||
CONFIG_AUDIT=y
|
# CONFIG_AUDIT is not set
|
||||||
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
|
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
|
||||||
CONFIG_AUDITSYSCALL=y
|
|
||||||
CONFIG_AUDIT_WATCH=y
|
|
||||||
CONFIG_AUDIT_TREE=y
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# IRQ subsystem
|
# IRQ subsystem
|
||||||
|
|
@ -5067,7 +5064,6 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
|
||||||
CONFIG_INTEGRITY=y
|
CONFIG_INTEGRITY=y
|
||||||
CONFIG_INTEGRITY_SIGNATURE=y
|
CONFIG_INTEGRITY_SIGNATURE=y
|
||||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||||
CONFIG_INTEGRITY_AUDIT=y
|
|
||||||
# CONFIG_IMA is not set
|
# CONFIG_IMA is not set
|
||||||
# CONFIG_EVM is not set
|
# CONFIG_EVM is not set
|
||||||
# CONFIG_TZ_ICCC is not set
|
# CONFIG_TZ_ICCC is not set
|
||||||
|
|
@ -5279,9 +5275,7 @@ CONFIG_CRC32_SLICEBY8=y
|
||||||
# CONFIG_CRC7 is not set
|
# CONFIG_CRC7 is not set
|
||||||
CONFIG_LIBCRC32C=y
|
CONFIG_LIBCRC32C=y
|
||||||
# CONFIG_CRC8 is not set
|
# CONFIG_CRC8 is not set
|
||||||
CONFIG_AUDIT_GENERIC=y
|
|
||||||
CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y
|
CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y
|
||||||
CONFIG_AUDIT_COMPAT_GENERIC=y
|
|
||||||
# CONFIG_RANDOM32_SELFTEST is not set
|
# CONFIG_RANDOM32_SELFTEST is not set
|
||||||
CONFIG_ZLIB_INFLATE=y
|
CONFIG_ZLIB_INFLATE=y
|
||||||
CONFIG_ZLIB_DEFLATE=y
|
CONFIG_ZLIB_DEFLATE=y
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
config SECURITY_SELINUX
|
config SECURITY_SELINUX
|
||||||
bool "NSA SELinux Support"
|
bool "NSA SELinux Support"
|
||||||
depends on SECURITY_NETWORK && AUDIT && NET && INET
|
depends on SECURITY_NETWORK && NET && INET
|
||||||
select NETWORK_SECMARK
|
select NETWORK_SECMARK
|
||||||
default n
|
default n
|
||||||
help
|
help
|
||||||
|
|
|
||||||
|
|
@ -107,6 +107,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
|
||||||
return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
|
return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
/**
|
/**
|
||||||
* avc_dump_av - Display an access vector in human-readable form.
|
* avc_dump_av - Display an access vector in human-readable form.
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
|
|
@ -173,6 +174,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
|
||||||
BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
|
BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
|
||||||
audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
|
audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* avc_init - Initialize the AVC.
|
* avc_init - Initialize the AVC.
|
||||||
|
|
@ -475,6 +477,7 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
|
||||||
u8 perm, int result,
|
u8 perm, int result,
|
||||||
struct common_audit_data *ad)
|
struct common_audit_data *ad)
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
u32 audited, denied;
|
u32 audited, denied;
|
||||||
|
|
||||||
audited = avc_xperms_audit_required(
|
audited = avc_xperms_audit_required(
|
||||||
|
|
@ -483,6 +486,9 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
|
||||||
return 0;
|
return 0;
|
||||||
return slow_avc_audit(ssid, tsid, tclass, requested,
|
return slow_avc_audit(ssid, tsid, tclass, requested,
|
||||||
audited, denied, result, ad, 0);
|
audited, denied, result, ad, 0);
|
||||||
|
#else
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
static void avc_node_free(struct rcu_head *rhead)
|
static void avc_node_free(struct rcu_head *rhead)
|
||||||
|
|
@ -709,6 +715,7 @@ out:
|
||||||
return node;
|
return node;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
/**
|
/**
|
||||||
* avc_audit_pre_callback - SELinux specific information
|
* avc_audit_pre_callback - SELinux specific information
|
||||||
* will be called by generic audit code
|
* will be called by generic audit code
|
||||||
|
|
@ -782,6 +789,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
||||||
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
|
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* avc_add_callback - Register a callback for security events.
|
* avc_add_callback - Register a callback for security events.
|
||||||
|
|
|
||||||
|
|
@ -3035,6 +3035,7 @@ static noinline int audit_inode_permission(struct inode *inode,
|
||||||
int result,
|
int result,
|
||||||
unsigned flags)
|
unsigned flags)
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct inode_security_struct *isec = inode->i_security;
|
struct inode_security_struct *isec = inode->i_security;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
@ -3046,6 +3047,7 @@ static noinline int audit_inode_permission(struct inode *inode,
|
||||||
audited, denied, result, &ad, flags);
|
audited, denied, result, &ad, flags);
|
||||||
if (rc)
|
if (rc)
|
||||||
return rc;
|
return rc;
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -133,6 +133,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
|
||||||
struct common_audit_data *a,
|
struct common_audit_data *a,
|
||||||
int flags)
|
int flags)
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
u32 audited, denied;
|
u32 audited, denied;
|
||||||
audited = avc_audit_required(requested, avd, result, 0, &denied);
|
audited = avc_audit_required(requested, avd, result, 0, &denied);
|
||||||
if (likely(!audited))
|
if (likely(!audited))
|
||||||
|
|
@ -140,6 +141,9 @@ static inline int avc_audit(u32 ssid, u32 tsid,
|
||||||
return slow_avc_audit(ssid, tsid, tclass,
|
return slow_avc_audit(ssid, tsid, tclass,
|
||||||
requested, audited, denied, result,
|
requested, audited, denied, result,
|
||||||
a, flags);
|
a, flags);
|
||||||
|
#else
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
||||||
|
|
|
||||||
|
|
@ -3275,6 +3275,7 @@ out:
|
||||||
return match;
|
return match;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_AUDIT
|
||||||
static int (*aurule_callback)(void) = audit_update_lsm_rules;
|
static int (*aurule_callback)(void) = audit_update_lsm_rules;
|
||||||
|
|
||||||
static int aurule_avc_callback(u32 event)
|
static int aurule_avc_callback(u32 event)
|
||||||
|
|
@ -3297,6 +3298,7 @@ static int __init aurule_init(void)
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
__initcall(aurule_init);
|
__initcall(aurule_init);
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_NETLABEL
|
#ifdef CONFIG_NETLABEL
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user