Commit 55a0e738 authored by Christian Göttsche's avatar Christian Göttsche Committed by Paul Moore
Browse files

selinux: introduce SECURITY_SELINUX_DEBUG configuration 



The policy database code contains several debug output statements
related to hashtable utilization.  Those are guarded by the macro
DEBUG_HASHES, which is neither documented nor set anywhere.

Introduce a new Kconfig configuration guarding this and potential
other future debugging related code.  Disable the setting by default.

Suggested-by: default avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: default avatarChristian Göttsche <cgzones@googlemail.com>
[PM: fixed line lengths in the help text]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent dd51fcd4

security/selinux/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -68,3 +68,12 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE 
	  conversion.  Setting this option to 0 disables the cache completely.



	  If unsure, keep the default value.



config SECURITY_SELINUX_DEBUG

	bool "SELinux kernel debugging support"

	depends on SECURITY_SELINUX

	default n

	help

	  This enables debugging code designed to help SELinux kernel

	  developers, unless you know what this does in the kernel code you

	  should leave this disabled.

security/selinux/ss/policydb.c

+4 −4
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ 
#include "mls.h"

#include "services.h"



#ifdef DEBUG_HASHES

#ifdef CONFIG_SECURITY_SELINUX_DEBUG

static const char *const symtab_name[SYM_NUM] = {

	"common prefixes",

	"classes",
@@ -678,7 +678,7 @@ static int (*const index_f[SYM_NUM]) (void *key, void *datum, void *datap) = { 
	cat_index,

};



#ifdef DEBUG_HASHES

#ifdef CONFIG_SECURITY_SELINUX_DEBUG

static void hash_eval(struct hashtab *h, const char *hash_name)

{

	struct hashtab_info info;
@@ -701,7 +701,7 @@ static void symtab_hash_eval(struct symtab *s) 
static inline void hash_eval(struct hashtab *h, const char *hash_name)

{

}

#endif

#endif /* CONFIG_SECURITY_SELINUX_DEBUG */



/*

 * Define the other val_to_name and val_to_struct arrays
@@ -725,7 +725,7 @@ static int policydb_index(struct policydb *p) 
	pr_debug("SELinux:  %d classes, %d rules\n",

		 p->p_classes.nprim, p->te_avtab.nel);



#ifdef DEBUG_HASHES

#ifdef CONFIG_SECURITY_SELINUX_DEBUG

	avtab_hash_eval(&p->te_avtab, "rules");

	symtab_hash_eval(p->symtab);

#endif