[PATCH] security: provide an inlined static branch for security_inode_permission()

[Paul Moore]

On Sun, Nov 9, 2025 at 2:29 PM Mateusz Guzik <mjguzik at gmail.com> wrote:
>
> The routine is executing for every path component during name resolution in
> vfs and shows up on the profile to the tune of 2% of CPU time in my
> tests.
>
> The only LSMs which install hoooks there are selinux and smack, meaning
> most installs don't have it and this ends up being a call to do nothing.

Unless you have a reputable survey or analysis to back up claims like
this, please refrain from making comments like these in commit
messages.  I can't speak to Smack's adoption numbers, but last I
looked in 2023, and considering only Android since numbers were easy
to source, SELinux was deployed in enforcing mode on over 3 billion
systems.  Of course I don't have numbers handy for *all* Linux
systems, and there are some numbers that simply are never going to be
public, but given the +3 billion Android systems alone, I think there
is a very real likelihood that there are more systems running SELinux
than those that are not.

> While perhaps a more generic mechanism covering all hoooks would be
> preferred, I implemented a bare minimum version which gets out of the
> way for my needs.

I'd much rather see a generalized solution than hacks for a small
number of hooks.

-- 
paul-moore.com