From e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 Mon Sep 17 00:00:00 2001
From: Ashlen <dev@anthes.is>
Date: Tue, 20 May 2025 21:34:03 -0600
Subject: [PATCH] perf(permission-hardener): optimize string match
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace subprocess grep calls with bash substring matching in
check_nosuid_whitelist function. This eliminates ~10k unneeded
subprocess spawns that were causing significant performance
degradation.

In testing, it improves overall script execution speed by an
order of magnitude:

Before patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
  Time (mean ± σ):     11.906 s ±  0.974 s    [User: 3.639 s, System: 8.728 s]
  Range (min … max):   10.430 s … 14.090 s    10 runs

After patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
  Time (mean ± σ):     802.8 ms ± 178.5 ms    [User: 283.0 ms, System: 471.9 ms]
  Range (min … max):   639.4 ms … 1092.3 ms    10 runs
---
 usr/bin/permission-hardener | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener
index 9f70834..b871fdc 100755
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@@ -256,8 +256,7 @@ check_nosuid_whitelist() {
   [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
 
   for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
-    if safe_echo "${target_file}" \
-      | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
+    if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
       return 1
     fi
   done