[PATCH] security: provide an inlined static branch for security_inode_permission()

Mateusz Guzik mjguzik at gmail.com
Sun Nov 9 19:29:40 UTC 2025 

The routine is executing for every path component during name resolution in
vfs and shows up on the profile to the tune of 2% of CPU time in my
tests.

The only LSMs which install hoooks there are selinux and smack, meaning
most installs don't have it and this ends up being a call to do nothing.

While perhaps a more generic mechanism covering all hoooks would be
preferred, I implemented a bare minimum version which gets out of the
way for my needs.

Signed-off-by: Mateusz Guzik <mjguzik at gmail.com>
---
 include/linux/security.h | 11 ++++++++++-
 security/security.c      | 12 ++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 92ac3f27b973..0ce1d73167ed 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -68,6 +68,8 @@ struct watch;
 struct watch_notification;
 struct lsm_ctx;
 
+DECLARE_STATIC_KEY_FALSE(security_inode_permission_has_hooks);
+
 /* Default (no) options for the capable function */
 #define CAP_OPT_NONE 0x0
 /* If capable should audit the security request */
@@ -421,7 +423,14 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
 int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
 			       bool rcu);
-int security_inode_permission(struct inode *inode, int mask);
+int __security_inode_permission(struct inode *inode, int mask);
+static inline int security_inode_permission(struct inode *inode, int mask)
+{
+	if (static_branch_unlikely(&security_inode_permission_has_hooks))
+		return __security_inode_permission(inode, mask);
+	return 0;
+}
+
 int security_inode_setattr(struct mnt_idmap *idmap,
 			   struct dentry *dentry, struct iattr *attr);
 void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
diff --git a/security/security.c b/security/security.c
index 4d3c03a4524c..e879f034a77c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -51,6 +51,8 @@ do {						\
 
 #define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)
 
+DEFINE_STATIC_KEY_FALSE(security_inode_permission_has_hooks);
+
 /*
  * These are descriptions of the reasons that can be passed to the
  * security_locked_down() LSM hook. Placing this array here allows
@@ -639,6 +641,12 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
 		lsm_static_call_init(&hooks[i]);
 	}
 
+	if (static_key_enabled(&static_calls_table.inode_permission->active->key)) {
+		if (!static_key_enabled(&security_inode_permission_has_hooks.key)) {
+			static_branch_enable(&security_inode_permission_has_hooks);
+		}
+	}
+
 	/*
 	 * Don't try to append during early_security_init(), we'll come back
 	 * and fix this up afterwards.
@@ -2343,7 +2351,7 @@ int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
 }
 
 /**
- * security_inode_permission() - Check if accessing an inode is allowed
+ * __security_inode_permission() - Check if accessing an inode is allowed
  * @inode: inode
  * @mask: access mask
  *
@@ -2356,7 +2364,7 @@ int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_inode_permission(struct inode *inode, int mask)
+int __security_inode_permission(struct inode *inode, int mask)
 {
 	if (unlikely(IS_PRIVATE(inode)))
 		return 0;
-- 
2.48.1

More information about the Linux-security-module-archive mailing list