Hi @tiann.
Thanks for the great project, I had great fun playing around with it.
This PR mainly tries to further minimize the possible delays caused by
KernelSU hooking.
There are 3 major changes:
- Processes with 0 < UID < 2000 are blocked straight-up before going
through the allow_list.
I don't see any need for such processes to be interested in root, and
this allows returning early before going through a more expensive
lookup.
If there's an expected breakage due to this change, I'll remove it. Let
me know.
- A page-sized (4K) bitmap is added.
This allows O(1) lookup for UID <= 32767.
This speeds up `ksu_is_allow_uid()` by about 4.8x by sacrificing a 4K
memory. IMHO, a good trade-off.
Most notably, this reduces the 99.999% result previously from worrying
milliseconds scale to microseconds scale.
For UID > 32767, another page-sized (4K) sequential array is used to
cache allow_list.
Compared to the previous PR #557, this new approach gives another nice
25% performance boost in average, 63-96% boost in worst cases.
Benchmark results are available at
https://docs.google.com/spreadsheets/d/1w_tO1zRLPNMFRer49pL1TQfL6ndEhilRrDU1XFIcWXY/edit?usp=sharing
Thanks!
---------
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
- Seen with Linux 4.14 kernel with error message:
In file included from ../drivers/android/kernelsu/selinux/sepolicy.c:1:
In file included from ../drivers/android/kernelsu/selinux/sepolicy.h:6:
In file included from ../security/selinux/ss/policydb.h:30: In file
included from ../security/selinux/ss/avtab.h:26:
../security/selinux/include/security.h:240:10: error: use of undeclared
identifier 'EIDRM'
return -EIDRM;
^
CC drivers/base/transport_class.o
CC kernel/rcu/update.o
../security/selinux/include/security.h:246:10: error: use of undeclared
identifier 'ENOENT'
return -ENOENT;
^
This checks `selinux_state` and `current_sid` supports in a raw way.
Feels more reliable than the version checks.
Supersedes #401, fixes#280, fixes#400.
4.9's last release aka 4.9.337 still needs the same fallbacks as 4.9.212
and breaks otherwise, upgrade this to fix compilation
Tested and working on POCO F1, 4.9.337
_selinux_state_ is backported to 4.9 kernel with the 4.9.212 release,
use it to fix the build.
many thanks to @reallysnow for figuring this out.
inspired by
d7c2c5f02a
* Merged related changes in android-common-kernel-4.14.163 [1] Handle
correct checks for older versions (below 4.14.163, 4.9, 4.4)
* fixes 14be7562, it is required in 4.14.163 kernel, it is not needed in
4.14.163 and later
[1]: https://github.com/MiCode/Xiaomi_Kernel_OpenSource/commits/1cfd8419
Change-Id: Iade104312d058a249667ca836259d5608418bb55
Co-authored-by: admin <paper@localhost>
* d77ab8d although fixed some typo, but since there is no include avc.h,
this will cause the build to fail
* Error:
/mnt/HDD/fish/aospa/kernel/msm-4.9/drivers/staging/ksu/selinux/selinux.c:60:2:
error: use of undeclared identifier 'selinux_enforcing'
selinux_enforcing = enforce;
^
/mnt/HDD/fish/aospa/kernel/msm-4.9/drivers/staging/ksu/selinux/selinux.c:81:9:
error: use of undeclared identifier 'selinux_enforcing'
return selinux_enforcing;
^
2 errors generated.
Change-Id: I4cc8917b2b73ca467873222e02d498da8718988e
