Alexander Viro wrote: [Tue Aug 01 2006, 11:22:38AM EDT]
> Killing audit overhead in case when no rules are loaded. More detailed
> log (this is a composite of patch series from audit git tree, see audit.b23..
> lspp.b23 in there for individual changesets):
>
> [PATCH] introduce audit rules counter
> [PATCH] mark context of syscall entered with no rules as dummy
> [PATCH] don't bother with aux entires for dummy context
> [PATCH] take filling ->pid, etc. out of audit_get_context()
> move that stuff downstream and into the only branch where it'll be
> used.
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 0ab26cb..55a1312 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -159,7 +159,7 @@ char * getname(const char __user * filen
> #ifdef CONFIG_AUDITSYSCALL
> void putname(const char *name)
> {
> - if (unlikely(current->audit_context))
> + if (unlikely(!audit_dummy_context()))
> audit_putname(name);
> else
> __putname(name);
> @@ -1125,7 +1125,7 @@ static int fastcall do_path_lookup(int d
> retval = link_path_walk(name, nd);
> out:
> if (likely(retval == 0)) {
> - if (unlikely(current->audit_context && nd && nd->dentry &&
> + if (unlikely(!audit_dummy_context() && nd && nd->dentry &&
> nd->dentry->d_inode))
> audit_inode(name, nd->dentry->d_inode);
> }
Why the double call to audit_dummy_context()? If false, we repeat the
call immediately in audit_inode(). I guess we were previously
checking current->audit_context twice, but I don't see any reason for
it.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index bf196c0..d26060e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -329,23 +329,28 @@ extern void __audit_inode(const char *na
> extern void __audit_inode_child(const char *dname, const struct inode *inode,
> const struct inode *parent);
> extern void __audit_inode_update(const struct inode *inode);
> +static inline int audit_dummy_context(void)
> +{
> + void *p = current->audit_context;
> + return !p || *(int *)p;
> +}
> static inline void audit_getname(const char *name)
> {
> - if (unlikely(current->audit_context))
> + if (unlikely(!audit_dummy_context()))
> __audit_getname(name);
> }
> static inline void audit_inode(const char *name, const struct inode *inode) {
> - if (unlikely(current->audit_context))
> + if (unlikely(!audit_dummy_context()))
> __audit_inode(name, inode);
> }
> static inline void audit_inode_child(const char *dname,
> const struct inode *inode,
> const struct inode *parent) {
> - if (unlikely(current->audit_context))
> + if (unlikely(!audit_dummy_context()))
> __audit_inode_child(dname, inode, parent);
> }
> static inline void audit_inode_update(const struct inode *inode) {
> - if (unlikely(current->audit_context))
> + if (unlikely(!audit_dummy_context()))
> __audit_inode_update(inode);
> }
>
[...]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
