On Thu, Jul 6, 2023 at 9:37 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> avtab_hash_eval() and hashtab_stat() are only used in policydb.c when
> the debug macro DEBUG_HASHES is defined.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> security/selinux/ss/avtab.c | 2 ++
> security/selinux/ss/avtab.h | 3 +++
> security/selinux/ss/hashtab.c | 3 ++-
> security/selinux/ss/hashtab.h | 2 ++
> 4 files changed, 9 insertions(+), 1 deletion(-)
This reminds me that I don't really like the "hidden" and kludgy
nature of DEBUG_HASHES. What if we created a proper SELinux debug
Kconfig flag and used it in place of DEBUG_HASHES? I'm thinking of
something like this:
config SECURITY_SELINUX_DEBUG
bool "NSA SELinux kernel debugging support"
depends on SECURITY_SELINUX
default n
help
This enables debugging code designed to help SELinux kernel developers,
unless you know what this does in the kernel code you should leave this
disabled.
... and then we do all of the usual Kconfig triggered dummy funcs,
etc. Thoughts?
--
paul-moore.com
