The path of a file context definition is compared as a regular
expression against actual pathnames. Those definitions make frequently
use of groups, like `(/.*)?`, which are capturing by default, causing
the regex engine to extract and save the matched input. Matching
context definitions against pathnames only cares about whether it's a
match or not, potential captures are never accessed.
Compile regular expressions (in the default PCRE2 variant) with the flag
PCRE2_NO_AUTO_CAPTURE to turn captured groups automatically into non
captured ones, like `(/.*)?` into `(?:/.*)?`. This saves some cycles
during lookup operations (~1.5%).
Only potential regression would be the advanced usage of backreferences
or recursion/subroutine calls to numbered captures, which would need an
update to use named captures instead.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libselinux/src/regex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
index 88d82fed..87423c48 100644
--- a/libselinux/src/regex.c
+++ b/libselinux/src/regex.c
@@ -80,7 +80,7 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
return -1;
(*regex)->regex = pcre2_compile(
- (PCRE2_SPTR)pattern_string, PCRE2_ZERO_TERMINATED, PCRE2_DOTALL,
+ (PCRE2_SPTR)pattern_string, PCRE2_ZERO_TERMINATED, PCRE2_DOTALL | PCRE2_NO_AUTO_CAPTURE,
&errordata->error_code, &errordata->error_offset, NULL);
if (!(*regex)->regex) {
goto err;
--
2.43.0
