f456f26c95
If an access triggers an denial, but it was allowed due to a global or per-domain permissive mode, (ie the message would have a "permissive=1" field), don't even bother going through the slow audit path to print the message. The permissive=1 messages spam the kernel logs making it much harder to see other useful messages. On elm, each slow_avc_audit() call consumes ~10-60 us. Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:653575 TEST=Boot, inspect /var/log/messages, no more messages like: [ 1.372604] audit: type=1400 audit(1475767701.728:4): avc: denied { read } for pid=1 comm="init" name="ld-linux-armhf.so.3" dev="dm-0" ino=40094 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file permissive=1 [ 1.372640] audit: type=1400 audit(1475767701.728:5): avc: denied { execute } for pid=1 comm="init" name="ld-2.19.so" dev="dm-0" ino=40084 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 Change-Id: Ic5b0630299f6bcac53659771b6c0cfef9cc13e2e Reviewed-on: https://chromium-review.googlesource.com/413144 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@google.com> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> (cherry picked from commit 1456e8755f19355e2d06430f6f378399b52571aa) Reviewed-on: https://chromium-review.googlesource.com/414285 Commit-Ready: Brian Norris <briannorris@chromium.org> Tested-by: Brian Norris <briannorris@chromium.org> [@nathanchance: removed CONFIG_SECURITY_SELINUX_DEVELOP option] Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Pranav Vashi <neobuddy89@gmail.com> Signed-off-by: GhostMaster69-dev <rathore6375@gmail.com>