Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-15 16:19:20 -04:00
Code Issues Projects Releases Packages Wiki Activity

perf(permission-hardener): optimize string match

Browse source 
Replace subprocess grep calls with bash substring matching in
check_nosuid_whitelist function. This eliminates ~10k unneeded
subprocess spawns that were causing significant performance
degradation.

In testing, it improves overall script execution speed by an
order of magnitude:

Before patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
  Time (mean ± σ):     11.906 s ±  0.974 s    [User: 3.639 s, System: 8.728 s]
  Range (min … max):   10.430 s … 14.090 s    10 runs

After patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
  Time (mean ± σ):     802.8 ms ± 178.5 ms    [User: 283.0 ms, System: 471.9 ms]
  Range (min … max):   639.4 ms … 1092.3 ms    10 runs
This commit is contained in:
Ashlen 2025-05-20 21:34:03 -06:00
parent 19d7e1af5d
commit e14b81b15e
No known key found for this signature in database
GPG key ID: F1B59F496EE704B0
1 changed files with 1 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
usr/bin/permission-hardener
View file

@ -256,8 +256,7 @@ check_nosuid_whitelist() {
[[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
if safe_echo "${target_file}" \
| grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
return 1
fi
done