| Message ID | 20230718184921.112786-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [1/3] selinux: introduce SECURITY_SELINUX_DEBUG configuration | expand |
On Jul 18, 2023 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> wrote: > > The policy database code contains several debug output statements > related to hashtable utilization. Those are guarded by the macro > DEBUG_HASHES, which is neither documented nor set anywhere. > > Introduce a new Kconfig configuration guarding this and potential > other future debugging related code. Disable the setting by default. > > Suggested-by: Paul Moore <paul@paul-moore.com> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > This already uses the de-branded naming scheme, as proposed by > Stephen. > --- > security/selinux/Kconfig | 9 +++++++++ > security/selinux/ss/policydb.c | 8 ++++---- > 2 files changed, 13 insertions(+), 4 deletions(-) Merged into selinux/next with some minor adjustments to the help text line lengths, thanks for doing this Christian. -- paul-moore.com
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 95a186ec0fcb..9e5be5cc6215 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -68,3 +68,12 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE conversion. Setting this option to 0 disables the cache completely. If unsure, keep the default value. + +config SECURITY_SELINUX_DEBUG + bool "SELinux kernel debugging support" + depends on SECURITY_SELINUX + default n + help + This enables debugging code designed to help SELinux kernel developers, + unless you know what this does in the kernel code you should leave this + disabled. diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index cfe77ef24ee2..cc478f3f4778 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -41,7 +41,7 @@ #include "mls.h" #include "services.h" -#ifdef DEBUG_HASHES +#ifdef CONFIG_SECURITY_SELINUX_DEBUG static const char *const symtab_name[SYM_NUM] = { "common prefixes", "classes", @@ -678,7 +678,7 @@ static int (*const index_f[SYM_NUM]) (void *key, void *datum, void *datap) = { cat_index, }; -#ifdef DEBUG_HASHES +#ifdef CONFIG_SECURITY_SELINUX_DEBUG static void hash_eval(struct hashtab *h, const char *hash_name) { struct hashtab_info info; @@ -701,7 +701,7 @@ static void symtab_hash_eval(struct symtab *s) static inline void hash_eval(struct hashtab *h, const char *hash_name) { } -#endif +#endif /* CONFIG_SECURITY_SELINUX_DEBUG */ /* * Define the other val_to_name and val_to_struct arrays @@ -725,7 +725,7 @@ static int policydb_index(struct policydb *p) pr_debug("SELinux: %d classes, %d rules\n", p->p_classes.nprim, p->te_avtab.nel); -#ifdef DEBUG_HASHES +#ifdef CONFIG_SECURITY_SELINUX_DEBUG avtab_hash_eval(&p->te_avtab, "rules"); symtab_hash_eval(p->symtab); #endif
The policy database code contains several debug output statements related to hashtable utilization. Those are guarded by the macro DEBUG_HASHES, which is neither documented nor set anywhere. Introduce a new Kconfig configuration guarding this and potential other future debugging related code. Disable the setting by default. Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- This already uses the de-branded naming scheme, as proposed by Stephen. --- security/selinux/Kconfig | 9 +++++++++ security/selinux/ss/policydb.c | 8 ++++---- 2 files changed, 13 insertions(+), 4 deletions(-)