* [PATCH] security: provide an inlined static branch for security_inode_permission()
@ 2025-11-09 19:29 Mateusz Guzik
2025-11-09 21:29 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Mateusz Guzik @ 2025-11-09 19:29 UTC (permalink / raw)
To: paul
Cc: casey, keescook, song, andrii, kpsingh, linux-security-module,
linux-fsdevel, Mateusz Guzik
The routine is executing for every path component during name resolution in
vfs and shows up on the profile to the tune of 2% of CPU time in my
tests.
The only LSMs which install hoooks there are selinux and smack, meaning
most installs don't have it and this ends up being a call to do nothing.
While perhaps a more generic mechanism covering all hoooks would be
preferred, I implemented a bare minimum version which gets out of the
way for my needs.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
---
include/linux/security.h | 11 ++++++++++-
security/security.c | 12 ++++++++++--
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 92ac3f27b973..0ce1d73167ed 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -68,6 +68,8 @@ struct watch;
struct watch_notification;
struct lsm_ctx;
+DECLARE_STATIC_KEY_FALSE(security_inode_permission_has_hooks);
+
/* Default (no) options for the capable function */
#define CAP_OPT_NONE 0x0
/* If capable should audit the security request */
@@ -421,7 +423,14 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
int security_inode_readlink(struct dentry *dentry);
int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
bool rcu);
-int security_inode_permission(struct inode *inode, int mask);
+int __security_inode_permission(struct inode *inode, int mask);
+static inline int security_inode_permission(struct inode *inode, int mask)
+{
+ if (static_branch_unlikely(&security_inode_permission_has_hooks))
+ return __security_inode_permission(inode, mask);
+ return 0;
+}
+
int security_inode_setattr(struct mnt_idmap *idmap,
struct dentry *dentry, struct iattr *attr);
void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
diff --git a/security/security.c b/security/security.c
index 4d3c03a4524c..e879f034a77c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -51,6 +51,8 @@ do { \
#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)
+DEFINE_STATIC_KEY_FALSE(security_inode_permission_has_hooks);
+
/*
* These are descriptions of the reasons that can be passed to the
* security_locked_down() LSM hook. Placing this array here allows
@@ -639,6 +641,12 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
lsm_static_call_init(&hooks[i]);
}
+ if (static_key_enabled(&static_calls_table.inode_permission->active->key)) {
+ if (!static_key_enabled(&security_inode_permission_has_hooks.key)) {
+ static_branch_enable(&security_inode_permission_has_hooks);
+ }
+ }
+
/*
* Don't try to append during early_security_init(), we'll come back
* and fix this up afterwards.
@@ -2343,7 +2351,7 @@ int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
}
/**
- * security_inode_permission() - Check if accessing an inode is allowed
+ * __security_inode_permission() - Check if accessing an inode is allowed
* @inode: inode
* @mask: access mask
*
@@ -2356,7 +2364,7 @@ int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
*
* Return: Returns 0 if permission is granted.
*/
-int security_inode_permission(struct inode *inode, int mask)
+int __security_inode_permission(struct inode *inode, int mask)
{
if (unlikely(IS_PRIVATE(inode)))
return 0;
--
2.48.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] security: provide an inlined static branch for security_inode_permission()
2025-11-09 19:29 [PATCH] security: provide an inlined static branch for security_inode_permission() Mateusz Guzik
@ 2025-11-09 21:29 ` Paul Moore
2025-11-09 21:52 ` Mateusz Guzik
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2025-11-09 21:29 UTC (permalink / raw)
To: Mateusz Guzik
Cc: casey, keescook, song, andrii, kpsingh, linux-security-module,
linux-fsdevel
On Sun, Nov 9, 2025 at 2:29 PM Mateusz Guzik <mjguzik@gmail.com> wrote:
>
> The routine is executing for every path component during name resolution in
> vfs and shows up on the profile to the tune of 2% of CPU time in my
> tests.
>
> The only LSMs which install hoooks there are selinux and smack, meaning
> most installs don't have it and this ends up being a call to do nothing.
Unless you have a reputable survey or analysis to back up claims like
this, please refrain from making comments like these in commit
messages. I can't speak to Smack's adoption numbers, but last I
looked in 2023, and considering only Android since numbers were easy
to source, SELinux was deployed in enforcing mode on over 3 billion
systems. Of course I don't have numbers handy for *all* Linux
systems, and there are some numbers that simply are never going to be
public, but given the +3 billion Android systems alone, I think there
is a very real likelihood that there are more systems running SELinux
than those that are not.
> While perhaps a more generic mechanism covering all hoooks would be
> preferred, I implemented a bare minimum version which gets out of the
> way for my needs.
I'd much rather see a generalized solution than hacks for a small
number of hooks.
--
paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] security: provide an inlined static branch for security_inode_permission()
2025-11-09 21:29 ` Paul Moore
@ 2025-11-09 21:52 ` Mateusz Guzik
0 siblings, 0 replies; 3+ messages in thread
From: Mateusz Guzik @ 2025-11-09 21:52 UTC (permalink / raw)
To: Paul Moore
Cc: casey, keescook, song, andrii, kpsingh, linux-security-module,
linux-fsdevel
On Sun, Nov 9, 2025 at 10:29 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Sun, Nov 9, 2025 at 2:29 PM Mateusz Guzik <mjguzik@gmail.com> wrote:
> >
> > The routine is executing for every path component during name resolution in
> > vfs and shows up on the profile to the tune of 2% of CPU time in my
> > tests.
> >
> > The only LSMs which install hoooks there are selinux and smack, meaning
> > most installs don't have it and this ends up being a call to do nothing.
>
> Unless you have a reputable survey or analysis to back up claims like
> this, please refrain from making comments like these in commit
> messages. I can't speak to Smack's adoption numbers, but last I
> looked in 2023, and considering only Android since numbers were easy
> to source, SELinux was deployed in enforcing mode on over 3 billion
> systems. Of course I don't have numbers handy for *all* Linux
> systems, and there are some numbers that simply are never going to be
> public, but given the +3 billion Android systems alone, I think there
> is a very real likelihood that there are more systems running SELinux
> than those that are not.
>
Fair, I was mostly thinking stuff like Ubuntu. Phone stuff is not on my radar.
> > While perhaps a more generic mechanism covering all hoooks would be
> > preferred, I implemented a bare minimum version which gets out of the
> > way for my needs.
>
> I'd much rather see a generalized solution than hacks for a small
> number of hooks.
>
I'll ponder about this.
> --
> paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-11-09 21:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-09 19:29 [PATCH] security: provide an inlined static branch for security_inode_permission() Mateusz Guzik
2025-11-09 21:29 ` Paul Moore
2025-11-09 21:52 ` Mateusz Guzik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).