From 9bf1253932f7099c15e00b49f902acd0ddcae2cf Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Sun, 12 Feb 2023 16:34:36 -0800 Subject: [PATCH] selinux: Remove audit dependency Auditing comes with a lot of overhead due to string assembly via vsnprintf. It isn't actually needed to make SELinux work, so remove SELinux's artificial dependency on it to make it possible to use SELinux without the unneeded overhead. Signed-off-by: Sultan Alsawaf --- include/linux/audit.h | 5 +++++ include/linux/lsm_audit.h | 8 ++++++++ security/Makefile | 2 +- security/selinux/Kconfig | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index b3d859831..0efa40582 100755 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -268,6 +268,11 @@ static inline int audit_signal_info(int sig, struct task_struct *t) return 0; } +static inline int audit_update_lsm_rules(void) +{ + return 0; +} + #endif /* CONFIG_AUDIT */ #ifdef CONFIG_AUDIT_COMPAT_GENERIC diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 91d6990b7..0c303e200 100755 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -118,8 +118,16 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb, int ipv6_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto); +#ifdef CONFIG_AUDIT void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)); +#else +static inline void common_lsm_audit(struct common_audit_data *a, + void (*pre_audit)(struct audit_buffer *, void *), + void (*post_audit)(struct audit_buffer *, void *)) +{ +} +#endif #endif diff --git a/security/Makefile b/security/Makefile index a5214e60b..424c0beeb 100755 --- a/security/Makefile +++ b/security/Makefile @@ -23,7 +23,7 @@ obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ -obj-$(CONFIG_SECURITY) += lsm_audit.o +obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 9e921fc72..8c5093f20 100755 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only config SECURITY_SELINUX bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET + depends on SECURITY_NETWORK && NET && INET select NETWORK_SECMARK default n help