Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp6034944rwp; Mon, 17 Jul 2023 13:45:19 -0700 (PDT) X-Google-Smtp-Source: APBJJlGzi9VJZEDxk0O/xw+uct4qvohmoeXDhmR8qs1aX0y4j479LtjRwi9DBE0SogdBD6ijwfDQ X-Received: by 2002:a2e:a30d:0:b0:2b6:dd9a:e1d3 with SMTP id l13-20020a2ea30d000000b002b6dd9ae1d3mr9538306lje.44.1689626719689; Mon, 17 Jul 2023 13:45:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689626719; cv=none; d=google.com; s=arc-20160816; b=KBWgW+1RJGZOFaiI9j6yODa1qXkHK2p9yYr0WE/QfSywXPUdU/5hfTaIkMa0TIPsIZ QiR4B4J9AMfrihJun+RDOYBrSe68NfshvkWFX0eaYZCzIsDoHgn4+kOddB2eFQvGP6uH +NeHIBj9eBZpfpHs1cOW3ROODw++wKMZ2gPsb6t35A4iWtIRqysjVaxh1BVikJvJ6GaJ wYqj+Ybuc0QYx2RSP5CYO+Zg/iaWu+fqD3lbeNLDEBocj0fhF6HTlVap6LUllzXNYOg4 mT6KFCKEoYwI2alQ3Fg9U+A74OF1DLDqWzwiJZFK88nlebwS0S6bNEBvv0W9vp+Eb84W Rx9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=9ph4eCZmhDQ3lr6GTYBorpZ/DsudWvdab7mcX4Jc74g=; fh=t40X45weMcpv5QCs7LDxYExe0Dhxu81E2t7ZR4cmtZg=; b=wZF7hRiSbGjzK66e1TGrmKlgiJKAEJN4A33IPvxNToZjfFwcRBC9da9X5Zzg5EIk4i CVs2HsgW7uszo+48efm9X3D3LY0R/Q+470SUBPSQIJ+HKCxPLps3t5/LNeu/mvRfqHqc BHj2QXheypcVLTreOuPIIOzkr5hMUY4Ra7tdrI/Ls7AcXWqJU4gDTa3wqEv3vZ6VZrCD 1wCXQUpy9U9ubdIGyWEzThl46EtQ9WJVC1ozzVlyw01sgyofsjVtXqi8lesLMTtPvYs1 fKVd5DdZuGgorYh/GyXV4xfCe3TmD+C6P0bOSd11bzYuoU+Aj4/GfiewYLGA1PiXt5gB G4KQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=uYL2mCK4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ja11-20020a170907988b00b00992bd86ece6si117617ejc.725.2023.07.17.13.44.54; Mon, 17 Jul 2023 13:45:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=uYL2mCK4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230126AbjGQUbu (ORCPT + 99 others); Mon, 17 Jul 2023 16:31:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229496AbjGQUbt (ORCPT ); Mon, 17 Jul 2023 16:31:49 -0400 Received: from sonic301-38.consmr.mail.ne1.yahoo.com (sonic301-38.consmr.mail.ne1.yahoo.com [66.163.184.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA7A318C for ; Mon, 17 Jul 2023 13:31:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1689625908; bh=9ph4eCZmhDQ3lr6GTYBorpZ/DsudWvdab7mcX4Jc74g=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=uYL2mCK4ol7FbXJQ4VXftNOTkITyi16WXWkMe8uXJxlv9QmamwFy4fGomBe81+fHk05Q4w3O5Rq8fDiwBaYql8HEZED6w9QFhHob7p15OoYFPOCZCnh1SkGRimktI4FGGiJTrFBm3PokXFTK0Nc3H+x5Xdg4kJ5j+ouH2OAmrVEwKQLmufKA7jE0LyINQBe5UsddjwYgqewWkAu/w46eUYkn1vziLE+4ab5alSHh9Fu3+8Z+ewr+5NZkSFzPxMNJ3fag90u3lBMYfhaqxxfFSWziQ59GUF3A2sPf2RIHreWcNXhklJAscdS7IZM6CgZlrtGangQ18JwlKdQalZtEaA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1689625908; bh=o9DqBOfO9b/ahv1j+U3RJovW0axQHKQhOYXh8AE5EJ/=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=GA1ShMGomWqYlvK1uxw8aHniLqq8sTn2A5w5q4ZXaqpitBBgg6DN2/G8AzWFMwhQ8XUGjtkLZ/ElaosqDarg5RnFam9UrDUhZnVVhTzY5zx+dPMYVuQlJ4qLqJWSBqfsRAsx8z0fv1FhhC1qZUvyDnxlidFfDvudou4x4WUBf0jHhm2DaVaRu92kS9NnLOyXVyWPbDbZRz63dI00jKFecCYx0cSvTi6zqyTpDaotbCyhN3Clph2i85Bd0OeVqa7+ZHHB/CSHKMISoRcFzSrxdiKScnAtUIqYGiaI5hksTl8+/K1uvCyy6qB4dnCf9mCh6SlosDgz9oe8uZDO8Lvp8Q== X-YMail-OSG: C334pLkVM1n3mGdfcTaWiTiwcRUmAwhEqYWBzjdmDNeiMkrMORK5qqvQUEQRO0O rbjD.OXukwPPwhgcHu6PLSo5vxQksSBQvbYUpvEBUngpy8IhEqMk3OPNRPAoHvLHg0gG1.j8.dne RDYcvMmRK13ra.4UmFu1GxAXnbRoWtG3ZMjfy0XKkYxz5cUOuvwsw3pK8PrQzhto5NdgdpX2_8Kv JTh8WtXhCFxaAuuf2pqxGK0M0AlmET3_VXttL7DLA2Lzgv31j.vlWh7I.mpNCcI.eXF4DMtmz1WJ WtCI1DrGIYG9_iDhRC0GAMXuRrx9eKXudh3qv_fBZScovOEme324Ef_nwcLIlmL_DG2ix2E39YL4 JeYYvuf.OFDYr8B6HJF3F9liNRZV3aNNgtEsBGbKmDyTfMnTWbB0CBwRE3ibylnYd4ZVXn5J5PJR EMh9FLKac88NZCVU_3QDEVHnap.vrfI64oR5TY2W5RY2zxykrOL9NA2wIz9y3yPD.hFIzRSIQoSl TVzfB_2cG5Ugneyl2ujkFb6aY6ADntXDcQvdtBD1_F0AGILkUu0TbEUQg4hJwGqWo_LMNUlmqX5Z hIowkqR0WlkPkT7caqn553eeYvziMuYUmz2STHdY6goplAC1_7zoWXOjll9XwB6FTQBCDwTnCdGf b0Y2rZim_mUU.9D4CZMSnPAiSM35BCZSGWnkgTlCDvrA8ksDBZ_ngZMsUN_J8cWYCof4Q0l8Onca HBqzF4sdbtdPtJy1WYb3KO__FkJwlLv.GuD895RJlNIja5_.inu2vNnnpq4ccijyXPpngXjqgbNq nAyYyRfnSVP5HjdKgUY92ojd6kMr2q3gZSDKrM9gnntFslKf1f5.3_nqPmCtremqqcevKzerobVW V07g1Btka0hsNXy4PGt44oAirRN2YXk7ewC2H3gpQheYRQulRPBMngnCWJ4w6ylfT4pRDfO5Pzc5 BOCmi17I.0iVQT7TDQFlH3I7jmThsYwIYBLipiayWIUxfigdETPR6uhRGD_DwUTx6SfUAo0itdT_ w59Ek2es29BbwCVqkZPkKXD2ATvdr4e6txfGzKdsXC_.nTK0VfXr4M762rv0ZN3Xe2xGyiodJaDP LDkeN.0U3HmALoJG7woSDtcpQ.JS6ZLMdxddux4lnfmBrTw5I0OdVbpiBb8MDQKlXgt5j0Yu3q7i W5Kr1YKFQCRTlqV.D1VKxC4gMH8cu.A3G9F3uEtO9L6Q.gYS87Sf7HfUDamLavwUdlHfUf86xl2B wh.faRm7AyKuwGlicJ9KBneipftyQbZInTidzmUlYdDj9wuw1AnVS_SA3WiM6814YIvtFEzQ1Ni8 l_qdNv0CqwCylfi7teed17VPvdRD2fyj9SyhMne01z4Qc1Womznimbw95hbL98MhITl4JlAcHfTv p1rdIaC3Qj76fMgRYLkJ5qiBzSDzO7uBIHr8vXKtAsgJfkGzru2T4HQX2R4KDS73UUQpAg2PEJil LqWB8P97ba8oJ84euzvfOqNAS5erq1XV8Tjuo.S5RcDSH.77zyIOHk194rftguVQu.DE_RqldlD1 ETXZfox4tpTNJzzMyzqbE2GQAcaN.7grGy0zue15l99X9SgMrIxFsMnWbVQcC4boI2AIlrK7hKUK PUNvVCU6HL.SGFXS1gt9UdDVidkuryEJB3RvSxrFAJEQOOkaRZDBKJ6s4IVHmDPs6mu5NlPboE58 l5pAMOgkZm7MY1Ivu3LLDGzlmw8mPUgPbk__YCsH8U43KoZP2OnyN_Lf9K1o74L2YcUtG5lOTSr2 NByjHWKFWI6C9tIYdiz.3_bVXSXMX.ogAVv9Lq77G5iEKb_Pr9bKDJvgnB10XJ9q3OQ_tAmjA_Wb gcnuwrs.d65CEwjoHozp1PeYEjHfRh4oIkbYmhtJGg.LzJRDvlRDIBxo0_eJYt3C3BDKFB2tXzqh 6vXDpyf8J6gDYkuW58LSy4ZIoNO8haPpoTPJmNQufilgWoShihG0AU4Ik6u5OcCWh39gOnOd43m0 eUuHz81Ml_pL4hPm4ivactKG1UauOUOnLKdHd5Fpzwx5RP.OIRePkcUeqWyzpP7BGV6Wz.HVq0Bt VxeudsBGcrMZcRnYEAwfm1esoXr0B0dEMwV6IYJEQ.bRuKywKu0zGrDuVDCj34A6D5bRfDdTqBIR 8CZR3kAiiwGLO0FGZ08YC.BC4KTj761aCzQCOd44jo7nvdjckZgLRcnZi_vKF1R1fnCUfA_GxZaJ a99chuYM.NaF0aLV2wsAixHFSuJF.VCwBkGCesQZsjIty86jCa9a1XvwjR2lBuLxH4V4wuVtE1ZC O5c__uwqUvB0- X-Sonic-MF: X-Sonic-ID: 3365421f-4eaf-4161-bd32-60d398ead7ed Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Mon, 17 Jul 2023 20:31:48 +0000 Received: by hermes--production-bf1-69c9587855-ftxdj (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID be6be41bd27bd00225caf7b38170cf90; Mon, 17 Jul 2023 20:31:46 +0000 (UTC) Message-ID: <0fcac6a8-4ab8-91bc-34e0-cbbb81da3973@schaufler-ca.com> Date: Mon, 17 Jul 2023 13:31:41 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH] selinux: optimize major part with a kernel config in selinux_mmap_addr() Content-Language: en-US To: Paul Moore , Leesoo Ahn Cc: lsahn@wewakecorp.com, Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler References: <20230710082500.1838896-1-lsahn@wewakecorp.com> From: Casey Schaufler In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailer: WebService/1.1.21647 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/17/2023 1:13 PM, Paul Moore wrote: > On Mon, Jul 10, 2023 at 4:25 AM Leesoo Ahn wrote: >> The major part, the conditional branch in selinux_mmap_addr() is always to be >> false so long as CONFIG_LSM_MMAP_MIN_ADDR is set to zero at compile time. >> >> This usually happens in some linux distros, for instance Ubuntu, which >> the config is set to zero in release version. Therefore it could be a bit >> optimized with '#if ' at compile time. >> >> Signed-off-by: Leesoo Ahn >> --- >> security/selinux/hooks.c | 2 ++ >> 1 file changed, 2 insertions(+) > First, I agree with Stephen's comments that you should ask your distro > (you mentioned Debian) to move MIN_ADDR higher. Beyond that, I have > one request, see below ... > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index d06e350fedee..a049aab6524b 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -3723,11 +3723,13 @@ static int selinux_mmap_addr(unsigned long addr) >> { >> int rc = 0; >> >> +#if CONFIG_LSM_MMAP_MIN_ADDR > 0 >> if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { >> u32 sid = current_sid(); >> rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, >> MEMPROTECT__MMAP_ZERO, NULL); >> } >> +#endif >> >> return rc; >> } > Pre-processor conditionals inside a function are generally something > we don't recommend. In this case I would suggest doing something like > this: > > #if (MMAP_MIN_ADDR > 0) > static int selinux_mmap_addr(...) > { > /* current func definition */ > } > #else /* MMAP_MIN_ADDR > 0 */ > static int selinux_mmap_addr(...) > { > return 0; > } > #endif /* MMAP_MIN_ADDR > 0 */ Better yet, skip the #else here and #if out the LSM_HOOK_INIT(mmap_addr, ...). No hook at all is faster than a hook that does nothing.