[PATCH v3 5/5] security: Add CONFIG_SECURITY_HOOK_LIKELY
Song Liu
song at kernel.org
Thu Sep 21 23:03:02 UTC 2023
On Mon, Sep 18, 2023 at 2:25 PM KP Singh <kpsingh at kernel.org> wrote:
>
[...]
> 0xffffffff818f0e72 <+66>: mov %r14,%rdi
> 0xffffffff818f0e75 <+69>: mov %ebp,%esi
> 0xffffffff818f0e77 <+71>: mov %rbx,%rdx
> 0xffffffff818f0e7a <+74>: nopl 0x0(%rax,%rax,1)
> 0xffffffff818f0e7f <+79>: test %eax,%eax
> 0xffffffff818f0e81 <+81>: jne 0xffffffff818f0e4d <security_file_ioctl+29>
> 0xffffffff818f0e83 <+83>: jmp 0xffffffff818f0e49 <security_file_ioctl+25>
> 0xffffffff818f0e85 <+85>: endbr64
> 0xffffffff818f0e89 <+89>: mov %r14,%rdi
> 0xffffffff818f0e8c <+92>: mov %ebp,%esi
> 0xffffffff818f0e8e <+94>: mov %rbx,%rdx
> 0xffffffff818f0e91 <+97>: pop %rbx
> 0xffffffff818f0e92 <+98>: pop %r14
> 0xffffffff818f0e94 <+100>: pop %rbp
> 0xffffffff818f0e95 <+101>: ret
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
Acked-by: Song Liu <song at kernel.org>
Thanks,
Song
> ---
> security/Kconfig | 11 +++++++++++
> security/security.c | 12 +++++++-----
> 2 files changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 52c9af08ad35..bd2a0dff991a 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -32,6 +32,17 @@ config SECURITY
>
> If you are unsure how to answer this question, answer N.
>
> +config SECURITY_HOOK_LIKELY
> + bool "LSM hooks are likely to be initialized"
> + depends on SECURITY
> + default y
> + help
> + This controls the behaviour of the static keys that guard LSM hooks.
> + If LSM hooks are likely to be initialized by LSMs, then one gets
> + better performance by enabling this option. However, if the system is
> + using an LSM where hooks are much likely to be disabled, one gets
> + better performance by disabling this config.
> +
> config SECURITYFS
> bool "Enable the securityfs filesystem"
> help
> diff --git a/security/security.c b/security/security.c
> index d1ee72e563cc..7ab0e044f83d 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -105,9 +105,9 @@ static __initdata struct lsm_info *exclusive;
> * Define static calls and static keys for each LSM hook.
> */
>
> -#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \
> - DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \
> - *((RET(*)(__VA_ARGS__))NULL)); \
> +#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \
> + DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \
> + *((RET(*)(__VA_ARGS__))NULL)); \
> DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));
>
> #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
> @@ -825,7 +825,8 @@ static int lsm_superblock_alloc(struct super_block *sb)
> */
> #define __CALL_STATIC_VOID(NUM, HOOK, ...) \
> do { \
> - if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
> + if (static_branch_maybe(CONFIG_SECURITY_HOOK_LIKELY, \
> + &SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
> static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
> } \
> } while (0);
> @@ -837,7 +838,8 @@ do { \
>
> #define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \
> do { \
> - if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
> + if (static_branch_maybe(CONFIG_SECURITY_HOOK_LIKELY, \
> + &SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
> R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
> if (R != 0) \
> goto LABEL; \
> --
> 2.42.0.459.ge4e396fd5e-goog
>
More information about the Linux-security-module-archive
mailing list