selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive

stephensmalley · stephensmalley · commit c6f4a2f3b00a · 2025-05-02T10:26:48.000-04:00
Extend the task avdcache to also cache whether the task SID is both permissive and neveraudit, and return immediately if so in both selinux_inode_getattr() and selinux_inode_permission(). The same approach could be applied to many of the hook functions although the avdcache would need to be updated for more than directory search checks in order for this optimization to be beneficial for checks on objects other than directories. To test, apply SELinuxProject/selinux#473 to your selinux userspace, build and install libsepol and secilc, and use the following CIL policy module: $ cat neverauditpermissive.cil (typeneveraudit unconfined_t) (typepermissive unconfined_t) Before inserting this CIL module, perf record make -j16 of an already built allmodconfig kernel tree yields the following: 1.65% [k] __d_lookup_rcu 0.53% [k] selinux_inode_permission 0.40% [k] selinux_inode_getattr 0.20% [k] security_inode_getattr 0.15% [k] avc_lookup 0.10% [k] security_inode_permission 0.05% [k] avc_has_perm 0.02% [k] avc_policy_seqno After inserting this CIL module via semodule -i neverauditpermissive.cil, the same perf command yields the following: 1.74% [k] __d_lookup_rcu 0.31% [k] selinux_inode_permission 0.23% [k] security_inode_getattr 0.07% [k] security_inode_permission 0.03% [k] avc_policy_seqno 0.03% [k] selinux_inode_getattr 0.01% [k] avc_lookup 0.00% [k] avc_has_perm Note that the symbols are listed from highest overhead to lowest in both cases, not in the same order. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -3184,6 +3184,7 @@ static inline void task_avdcache_update(struct task_security_struct *tsec,
 	tsec->avdcache.dir[spot].audited = audited;
 	tsec->avdcache.dir[spot].allowed = avd->allowed;
 	tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
+	tsec->avdcache.skip = (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
 }
 
 /**
@@ -3210,10 +3211,14 @@ static int selinux_inode_permission(struct inode *inode, int requested)
 	if (!mask)
 		return 0;
 
+	tsec = selinux_cred(current_cred());
+	if (tsec->avdcache.skip && tsec->sid == tsec->avdcache.sid &&
+		tsec->avdcache.seqno == avc_policy_seqno())
+		return 0;
+
 	isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
 	if (IS_ERR(isec))
 		return PTR_ERR(isec);
-	tsec = selinux_cred(current_cred());
 	perms = file_mask_to_av(inode->i_mode, mask);
 
 	rc = task_avdcache_search(tsec, isec, &avdc);
@@ -3277,6 +3282,14 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
 
 static int selinux_inode_getattr(const struct path *path)
 {
+	struct task_security_struct *tsec;
+
+	tsec = selinux_cred(current_cred());
+
+	if (tsec->avdcache.skip && tsec->sid == tsec->avdcache.sid &&
+		tsec->avdcache.seqno == avc_policy_seqno())
+		return 0;
+
 	return path_has_perm(current_cred(), path, FILE__GETATTR);
 }
 
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
@@ -49,6 +49,7 @@ struct task_security_struct {
 		u32 seqno; /* AVC sequence number */
 		unsigned int dir_spot; /* dir cache index to check first */
 		struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */
+		bool skip; /* skip SELinux permission checking */
 	} avdcache;
 } __randomize_layout;
 
