[PATCH] security: provide an inlined static branch for security_inode_permission()
Mateusz Guzik
mjguzik at gmail.com
Sun Nov 9 21:52:32 UTC 2025
On Sun, Nov 9, 2025 at 10:29 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Sun, Nov 9, 2025 at 2:29 PM Mateusz Guzik <mjguzik at gmail.com> wrote:
> >
> > The routine is executing for every path component during name resolution in
> > vfs and shows up on the profile to the tune of 2% of CPU time in my
> > tests.
> >
> > The only LSMs which install hoooks there are selinux and smack, meaning
> > most installs don't have it and this ends up being a call to do nothing.
>
> Unless you have a reputable survey or analysis to back up claims like
> this, please refrain from making comments like these in commit
> messages. I can't speak to Smack's adoption numbers, but last I
> looked in 2023, and considering only Android since numbers were easy
> to source, SELinux was deployed in enforcing mode on over 3 billion
> systems. Of course I don't have numbers handy for *all* Linux
> systems, and there are some numbers that simply are never going to be
> public, but given the +3 billion Android systems alone, I think there
> is a very real likelihood that there are more systems running SELinux
> than those that are not.
>
Fair, I was mostly thinking stuff like Ubuntu. Phone stuff is not on my radar.
> > While perhaps a more generic mechanism covering all hoooks would be
> > preferred, I implemented a bare minimum version which gets out of the
> > way for my needs.
>
> I'd much rather see a generalized solution than hacks for a small
> number of hooks.
>
I'll ponder about this.
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list