selinux: reduce calls to context_struct_to_string()

context_struct_to_string() contains expensive kmalloc() calls.

In most cases, there's no purpose in calling context_struct_to_string()
on !CONFIG_AUDIT as logs won't be saved anyways.

Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0a258c0..1263c00 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -443,6 +443,7 @@ mls_ops:
        return s[0];
 }
 
+#ifdef CONFIG_AUDIT
 /*
  * security_dump_masked_av - dumps masked permissions during
  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
@@ -532,6 +533,7 @@ out:
 
        return;
 }
+#endif
 
 /*
  * security_boundary_permission - drops violated permissions
@@ -610,9 +612,11 @@ static void type_attribute_bounds_av(struct context *scontext,
                /* mask violated permissions */
                avd->allowed &= ~masked;
 
+#ifdef CONFIG_AUDIT
                /* audit masked permissions */
                security_dump_masked_av(scontext, tcontext,
                                        tclass, masked, "bounds");
+#endif
        }
 }
 
@@ -750,11 +754,12 @@ static void context_struct_compute_av(struct context *scontext,
                                 tclass, avd);
 }
 
-static int security_validtrans_handle_fail(struct context *ocontext,
+static inline int security_validtrans_handle_fail(struct context *ocontext,
                                           struct context *ncontext,
                                           struct context *tcontext,
                                           u16 tclass)
 {
+#ifdef CONFIG_AUDIT
        char *o = NULL, *n = NULL, *t = NULL;
        u32 olen, nlen, tlen;
 
@@ -772,6 +777,7 @@ out:
        kfree(o);
        kfree(n);
        kfree(t);
+#endif
 
        if (!selinux_enforcing)
                return 0;
@@ -905,6 +911,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
                index = type->bounds;
        }
 
+#ifdef CONFIG_AUDIT
        if (rc) {
                char *old_name = NULL;
                char *new_name = NULL;
@@ -924,6 +931,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
                kfree(new_name);
                kfree(old_name);
        }
+#endif
 out:
        read_unlock(&policy_rwlock);
 
@@ -1511,12 +1519,13 @@ int security_context_to_sid_force(const char *scontext, u32 scontext_len,
                                            sid, SECSID_NULL, GFP_KERNEL, 1);
 }
 
-static int compute_sid_handle_invalid_context(
+static inline int compute_sid_handle_invalid_context(
        struct context *scontext,
        struct context *tcontext,
        u16 tclass,
        struct context *newcontext)
 {
+#ifdef CONFIG_AUDIT
        char *s = NULL, *t = NULL, *n = NULL;
        u32 slen, tlen, nlen;
 
@@ -1536,6 +1545,8 @@ out:
        kfree(s);
        kfree(t);
        kfree(n);
+#endif
+
        if (!selinux_enforcing)
                return 0;
        return -EACCES;
@@ -1824,16 +1835,20 @@ static int clone_sid(u32 sid,
 
 static inline int convert_context_handle_invalid_context(struct context *context)
 {
+#ifdef CONFIG_AUDIT
        char *s;
        u32 len;
+#endif
 
        if (selinux_enforcing)
                return -EINVAL;
 
+#ifdef CONFIG_AUDIT
        if (!context_struct_to_string(context, &s, &len)) {
                printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
                kfree(s);
        }
+#endif
        return 0;
 }
 
@@ -1861,8 +1876,10 @@ static int convert_context(u32 key,
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *s;
-       u32 len;
        int rc = 0;
+#ifdef CONFIG_AUDIT
+       u32 len;
+#endif
 
        if (key <= SECINITSID_NUM)
                goto out;
@@ -1975,6 +1992,7 @@ static int convert_context(u32 key,
 out:
        return rc;
 bad:
+#ifdef CONFIG_AUDIT
        /* Map old representation to string and save it. */
        rc = context_struct_to_string(&oldc, &s, &len);
        if (rc)
@@ -1987,6 +2005,9 @@ bad:
               c->str);
        rc = 0;
        goto out;
+#else
+       return 0;
+#endif
 }
 
 static void security_load_policycaps(void)
@@ -2735,9 +2756,11 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        struct context *context1;
        struct context *context2;
        struct context newcon;
+       int rc;
+#ifdef CONFIG_AUDIT
        char *s;
        u32 len;
-       int rc;
+#endif
 
        rc = 0;
        if (!ss_initialized || !policydb.mls_enabled) {
@@ -2776,6 +2799,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        if (!policydb_context_isvalid(&policydb, &newcon)) {
                rc = convert_context_handle_invalid_context(&newcon);
                if (rc) {
+#ifdef CONFIG_AUDIT
                        if (!context_struct_to_string(&newcon, &s, &len)) {
                                audit_log(current->audit_context,
                                          GFP_ATOMIC, AUDIT_SELINUX_ERR,
@@ -2783,6 +2807,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
                                          "invalid_context=%s", s);
                                kfree(s);
                        }
+#endif
                        goto out_unlock;
                }
        }