Hello Paul, On 08/12/2015 17:42, Paul Moore wrote: > To the best of our knowledge, everyone who enables audit at compile > time also enables syscall auditing; this patch simplifies the Kconfig > menus by removing the option to disable syscall auditing when audit > is selected and the target arch supports it. > > Signed-off-by: Paul Moore <pmo...@redhat.com>
this patch is responsible for massive performance degradation for those who used only CONFIG_SECURITY_APPARMOR. And the numbers are, take the following test for instance: dd if=/dev/zero of=/dev/null count=2M ARM64: 500MB/s -> 350MB/s ARM: 400MB/s -> 300MB/s (with some particular CPU frequencies). Should we revert this patch? > --- > init/Kconfig | 11 +++-------- > 1 file changed, 3 insertions(+), 8 deletions(-) > > > -- > Linux-audit mailing list > linux-au...@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > > diff --git a/init/Kconfig b/init/Kconfig > index c24b6f7..d4663b1 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -299,20 +299,15 @@ config AUDIT > help > Enable auditing infrastructure that can be used with another > kernel subsystem, such as SELinux (which requires this for > - logging of avc messages output). Does not do system-call > - auditing without CONFIG_AUDITSYSCALL. > + logging of avc messages output). System call auditing is included > + on architectures which support it. > > config HAVE_ARCH_AUDITSYSCALL > bool > > config AUDITSYSCALL > - bool "Enable system-call auditing support" > + def_bool y > depends on AUDIT && HAVE_ARCH_AUDITSYSCALL > - default y if SECURITY_SELINUX > - help > - Enable low-overhead system-call auditing infrastructure that > - can be used independently or with another kernel subsystem, > - such as SELinux. > > config AUDIT_WATCH > def_bool y > -- Best regards, Alexander Sverdlin.