selinux: Cache SID lookups for domain checks #3128
Merged
+88
−44
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The is_ksu_domain(), is_zygote(), and is_init() functions are called frequently throughout KernelSU's operation - on every prctl(), execve(), and setresuid() hook invocation. Previously, each call performed: 1. __security_secid_to_secctx() to convert task's SID to context string 2. Memory allocation for the context buffer 3. strncmp() for string comparison against domain names 4. __security_release_secctx() to free the allocated buffer This is inefficient for hot paths that may be called hundreds of times per boot cycle. Optimize by caching the SELinux SIDs for su, zygote, and init domains once during ksu_selinux_init() (called at post-fs-data). Subsequent checks use simple u32 integer comparison against tsec->sid, which is approximately 100x faster than string-based comparison. The implementation includes a fallback to string comparison if the cache hasn't been initialized yet (early boot edge case). Performance impact: - Before: O(n) string comparison + memory allocation per check - After: O(1) integer comparison with zero allocations Signed-off-by: 0xSecureByte <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR optimizes SELinux domain checking by caching Security ID (SID) values for frequently checked contexts (kernel su, zygote, and init) at initialization time. This eliminates expensive string-based context lookups on every domain check, replacing them with fast integer comparisons.
Key changes:
- Introduces cached SID variables that are resolved once during post-fs-data initialization
- Refactors domain checking functions to use a common
is_sid_match()helper with fast-path SID comparison - Maintains backward compatibility with a fallback to string comparison if caching fails
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| kernel/selinux/selinux.h | Adds ZYGOTE_CONTEXT and INIT_CONTEXT macro definitions and declares the new ksu_selinux_init() function |
| kernel/selinux/selinux.c | Implements SID caching mechanism with cached variables, initialization function, and refactored comparison logic using is_sid_match() helper |
| kernel/ksud.c | Integrates ksu_selinux_init() call into the post-fs-data initialization sequence |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
|
Bill sheet |
Owner
|
What if the sepolicy is reloaded? |
Collaborator
|
sidtab_convert_tree() keeps original sid order, so no need to worry about it. |
aviraxp
reviewed
Jan 2, 2026
aviraxp
reviewed
Jan 2, 2026
Signed-off-by: 0xSecureByte <[email protected]>
Collaborator
|
Mostly fine now, but can you rename ksu_selinux_init to sth like cache_sid()? |
Collaborator
|
Also, can you migrate ksu_file_sid = ksu_get_ksu_file_sid() to the new function too? |
Contributor
Author
|
Sure, let me do the changes in sometime |
Signed-off-by: 0xSecureByte <[email protected]>
aviraxp
approved these changes
Jan 5, 2026
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 5, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Jan 5, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Jan 6, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
rifsxd
pushed a commit
to KernelSU-Next/KernelSU-Next
that referenced
this pull request
Jan 6, 2026
…1051) Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
pershoot
pushed a commit
to KernelSU-Next/KernelSU-Next
that referenced
this pull request
Jan 6, 2026
…1051) Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
MrShockWAVEog
pushed a commit
to MrShockWAVEog/KernelSU-Next
that referenced
this pull request
Jan 7, 2026
…ernelSU-Next#1051) Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
MrShockWAVEog
pushed a commit
to MrShockWAVEog/KernelSU-Next
that referenced
this pull request
Jan 7, 2026
…ernelSU-Next#1051) Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 8, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
PhuScam
pushed a commit
to PhuScam/KernelSU
that referenced
this pull request
Jan 11, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 13, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 13, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 13, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 14, 2026
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons. --------- Signed-off-by: 0xSecureByte <[email protected]> Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cache SELinux SIDs for su/zygote/init contexts at init time instead of resolving them on every domain check. Reduces overhead from string-based lookups to simple integer comparisons.