selinux: introduce SECURITY_SELINUX_DEBUG configuration

The policy database code contains several debug output statements
related to hashtable utilization.  Those are guarded by the macro
DEBUG_HASHES, which is neither documented nor set anywhere.

Introduce a new Kconfig configuration guarding this and potential
other future debugging related code.  Disable the setting by default.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: fixed line lengths in the help text]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index c275115b508848d564e3f8c111451b9285decf0b..d30348fbe0df33fd00fe20bce614d578c26acaf4 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -68,3 +68,12 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE
          conversion.  Setting this option to 0 disables the cache completely.
 
          If unsure, keep the default value.
+
+config SECURITY_SELINUX_DEBUG
+       bool "SELinux kernel debugging support"
+       depends on SECURITY_SELINUX
+       default n
+       help
+         This enables debugging code designed to help SELinux kernel
+         developers, unless you know what this does in the kernel code you
+         should leave this disabled.

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index b903a4dfdce165c26052e4321e1d1ac505a35528..dc66868ff62cd91947650b74f9035f49210fc8c3 100644 (file)
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -41,7 +41,7 @@
 #include "mls.h"
 #include "services.h"
 
-#ifdef DEBUG_HASHES
+#ifdef CONFIG_SECURITY_SELINUX_DEBUG
 static const char *const symtab_name[SYM_NUM] = {
        "common prefixes",
        "classes",
@@ -678,7 +678,7 @@ static int (*const index_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
        cat_index,
 };
 
-#ifdef DEBUG_HASHES
+#ifdef CONFIG_SECURITY_SELINUX_DEBUG
 static void hash_eval(struct hashtab *h, const char *hash_name)
 {
        struct hashtab_info info;
@@ -701,7 +701,7 @@ static void symtab_hash_eval(struct symtab *s)
 static inline void hash_eval(struct hashtab *h, const char *hash_name)
 {
 }
-#endif
+#endif /* CONFIG_SECURITY_SELINUX_DEBUG */
 
 /*
  * Define the other val_to_name and val_to_struct arrays
@@ -725,7 +725,7 @@ static int policydb_index(struct policydb *p)
        pr_debug("SELinux:  %d classes, %d rules\n",
                 p->p_classes.nprim, p->te_avtab.nel);
 
-#ifdef DEBUG_HASHES
+#ifdef CONFIG_SECURITY_SELINUX_DEBUG
        avtab_hash_eval(&p->te_avtab, "rules");
        symtab_hash_eval(p->symtab);
 #endif