[PATCH lazy audit

[PATCH lazy audit

[Alexander Viro]

	Killing audit overhead in case when no rules are loaded.  More detailed
log (this is a composite of patch series from audit git tree, see audit.b23..
lspp.b23 in there for individual changesets):

[PATCH] introduce audit rules counter
[PATCH] mark context of syscall entered with no rules as dummy
[PATCH] don't bother with aux entires for dummy context
[PATCH] take filling ->pid, etc. out of audit_get_context()
    move that stuff downstream and into the only branch where it'll be
    used.

diff --git a/fs/namei.c b/fs/namei.c
index 0ab26cb..55a1312 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -159,7 +159,7 @@ char * getname(const char __user * filen
 #ifdef CONFIG_AUDITSYSCALL
 void putname(const char *name)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		audit_putname(name);
 	else
 		__putname(name);
@@ -1125,7 +1125,7 @@ static int fastcall do_path_lookup(int d
 	retval = link_path_walk(name, nd);
 out:
 	if (likely(retval == 0)) {
-		if (unlikely(current->audit_context && nd && nd->dentry &&
+		if (unlikely(!audit_dummy_context() && nd && nd->dentry &&
 				nd->dentry->d_inode))
 		audit_inode(name, nd->dentry->d_inode);
 	}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index bf196c0..d26060e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -329,23 +329,28 @@ extern void __audit_inode(const char *na
 extern void __audit_inode_child(const char *dname, const struct inode *inode,
 				const struct inode *parent);
 extern void __audit_inode_update(const struct inode *inode);
+static inline int audit_dummy_context(void)
+{
+	void *p = current->audit_context;
+	return !p || *(int *)p;
+}
 static inline void audit_getname(const char *name)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		__audit_getname(name);
 }
 static inline void audit_inode(const char *name, const struct inode *inode) {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		__audit_inode(name, inode);
 }
 static inline void audit_inode_child(const char *dname, 
 				     const struct inode *inode,
 				     const struct inode *parent) {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		__audit_inode_child(dname, inode, parent);
 }
 static inline void audit_inode_update(const struct inode *inode) {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		__audit_inode_update(inode);
 }
 
@@ -370,51 +375,53 @@ extern int __audit_mq_getsetattr(mqd_t m
 
 static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_ipc_obj(ipcp);
 	return 0;
 }
 static inline int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_ipc_set_perm(qbytes, uid, gid, mode);
 	return 0;
 }
 static inline int audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_mq_open(oflag, mode, u_attr);
 	return 0;
 }
 static inline int audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout);
 	return 0;
 }
 static inline int audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);
 	return 0;
 }
 static inline int audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_mq_notify(mqdes, u_notification);
 	return 0;
 }
 static inline int audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 {
-	if (unlikely(current->audit_context))
+	if (unlikely(!audit_dummy_context()))
 		return __audit_mq_getsetattr(mqdes, mqstat);
 	return 0;
 }
+extern int audit_n_rules;
 #else
 #define audit_alloc(t) ({ 0; })
 #define audit_free(t) do { ; } while (0)
 #define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
 #define audit_syscall_exit(f,r) do { ; } while (0)
+#define audit_dummy_context() 0
 #define audit_getname(n) do { ; } while (0)
 #define audit_putname(n) do { ; } while (0)
 #define __audit_inode(n,i) do { ; } while (0)
@@ -437,6 +444,7 @@ #define audit_mq_timedsend(d,l,p,t) ({ 0
 #define audit_mq_timedreceive(d,l,p,t) ({ 0; })
 #define audit_mq_notify(d,n) ({ 0; })
 #define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_n_rules 0
 #endif
 
 #ifdef CONFIG_AUDIT
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5b4e162..7322f34 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1134,6 +1134,14 @@ static inline int audit_add_rule(struct 
 	struct audit_watch *watch = entry->rule.watch;
 	struct nameidata *ndp, *ndw;
 	int h, err, putnd_needed = 0;
+#ifdef CONFIG_AUDITSYSCALL
+	int dont_count = 0;
+
+	/* If either of these, don't count towards total */
+	if (entry->rule.listnr == AUDIT_FILTER_USER ||
+		entry->rule.listnr == AUDIT_FILTER_TYPE)
+		dont_count = 1;
+#endif
 
 	if (inode_f) {
 		h = audit_hash_ino(inode_f->val);
@@ -1174,6 +1182,10 @@ static inline int audit_add_rule(struct 
 	} else {
 		list_add_tail_rcu(&entry->list, list);
 	}
+#ifdef CONFIG_AUDITSYSCALL
+	if (!dont_count)
+		audit_n_rules++;
+#endif
 	mutex_unlock(&audit_filter_mutex);
 
 	if (putnd_needed)
@@ -1198,6 +1210,14 @@ static inline int audit_del_rule(struct 
 	struct audit_watch *watch, *tmp_watch = entry->rule.watch;
 	LIST_HEAD(inotify_list);
 	int h, ret = 0;
+#ifdef CONFIG_AUDITSYSCALL
+	int dont_count = 0;
+
+	/* If either of these, don't count towards total */
+	if (entry->rule.listnr == AUDIT_FILTER_USER ||
+		entry->rule.listnr == AUDIT_FILTER_TYPE)
+		dont_count = 1;
+#endif
 
 	if (inode_f) {
 		h = audit_hash_ino(inode_f->val);
@@ -1235,6 +1255,10 @@ static inline int audit_del_rule(struct 
 	list_del_rcu(&e->list);
 	call_rcu(&e->rcu, audit_free_rule_rcu);
 
+#ifdef CONFIG_AUDITSYSCALL
+	if (!dont_count)
+		audit_n_rules--;
+#endif
 	mutex_unlock(&audit_filter_mutex);
 
 	if (!list_empty(&inotify_list))
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b1356fc..efc1b74 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -85,6 +85,9 @@ #define AUDIT_NAMES_RESERVED 7
 /* Indicates that audit should log the full pathname. */
 #define AUDIT_NAME_FULL -1
 
+/* number of audit rules */
+int audit_n_rules;
+
 /* When fs/namei.c:getname() is called, we store the pointer in name and
  * we don't let putname() free it (instead we free all of the saved
  * pointers at syscall exit time).
@@ -174,6 +177,7 @@ struct audit_aux_data_path {
 
 /* The per-task audit context. */
 struct audit_context {
+	int		    dummy;	/* must be the first element */
 	int		    in_syscall;	/* 1 if task is in a syscall */
 	enum audit_state    state;
 	unsigned int	    serial;     /* serial number for record */
@@ -514,7 +518,7 @@ static inline struct audit_context *audi
 	context->return_valid = return_valid;
 	context->return_code  = return_code;
 
-	if (context->in_syscall && !context->auditable) {
+	if (context->in_syscall && !context->dummy && !context->auditable) {
 		enum audit_state state;
 
 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
@@ -530,17 +534,7 @@ static inline struct audit_context *audi
 	}
 
 get_context:
-	context->pid = tsk->pid;
-	context->ppid = sys_getppid();	/* sic.  tsk == current in all cases */
-	context->uid = tsk->uid;
-	context->gid = tsk->gid;
-	context->euid = tsk->euid;
-	context->suid = tsk->suid;
-	context->fsuid = tsk->fsuid;
-	context->egid = tsk->egid;
-	context->sgid = tsk->sgid;
-	context->fsgid = tsk->fsgid;
-	context->personality = tsk->personality;
+
 	tsk->audit_context = NULL;
 	return context;
 }
@@ -749,6 +743,17 @@ static void audit_log_exit(struct audit_
 	const char *tty;
 
 	/* tsk == current */
+	context->pid = tsk->pid;
+	context->ppid = sys_getppid();	/* sic.  tsk == current in all cases */
+	context->uid = tsk->uid;
+	context->gid = tsk->gid;
+	context->euid = tsk->euid;
+	context->suid = tsk->suid;
+	context->fsuid = tsk->fsuid;
+	context->egid = tsk->egid;
+	context->sgid = tsk->sgid;
+	context->fsgid = tsk->fsgid;
+	context->personality = tsk->personality;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
 	if (!ab)
@@ -1066,7 +1071,8 @@ #endif
 	context->argv[3]    = a4;
 
 	state = context->state;
-	if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
+	context->dummy = !audit_n_rules;
+	if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
 	if (likely(state == AUDIT_DISABLED))
 		return;
@@ -1671,7 +1677,7 @@ int audit_bprm(struct linux_binprm *bprm
 	unsigned long p, next;
 	void *to;
 
-	if (likely(!audit_enabled || !context))
+	if (likely(!audit_enabled || !context || context->dummy))
 		return 0;
 
 	ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
@@ -1709,7 +1715,7 @@ int audit_socketcall(int nargs, unsigned
 	struct audit_aux_data_socketcall *ax;
 	struct audit_context *context = current->audit_context;
 
-	if (likely(!context))
+	if (likely(!context || context->dummy))
 		return 0;
 
 	ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
@@ -1737,7 +1743,7 @@ int audit_sockaddr(int len, void *a)
 	struct audit_aux_data_sockaddr *ax;
 	struct audit_context *context = current->audit_context;
 
-	if (likely(!context))
+	if (likely(!context || context->dummy))
 		return 0;
 
 	ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);

Re: [PATCH lazy audit

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 1687 bytes --]

On Tue, 2006-08-01 at 11:22 -0400, Alexander Viro wrote:
> 	Killing audit overhead in case when no rules are loaded.  More detailed
> log (this is a composite of patch series from audit git tree, see audit.b23..
> lspp.b23 in there for individual changesets):


> [PATCH] introduce audit rules counter
> [PATCH] mark context of syscall entered with no rules as dummy
> [PATCH] don't bother with aux entires for dummy context
> [PATCH] take filling ->pid, etc. out of audit_get_context()
>     move that stuff downstream and into the only branch where it'll be
>     used.
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 0ab26cb..55a1312 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -159,7 +159,7 @@ char * getname(const char __user * filen
>  #ifdef CONFIG_AUDITSYSCALL
>  void putname(const char *name)
>  {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		audit_putname(name);
>  	else
>  		__putname(name);
[...]
> +extern int audit_n_rules;
>  #else
>  #define audit_alloc(t) ({ 0; })
>  #define audit_free(t) do { ; } while (0)
>  #define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
>  #define audit_syscall_exit(f,r) do { ; } while (0)
> +#define audit_dummy_context() 0
>  #define audit_getname(n) do { ; } while (0)
>  #define audit_putname(n) do { ; } while (0)
>  #define __audit_inode(n,i) do { ; } while (0)

 This should be:

+#define audit_dummy_context() 1

...no?

-- 
James Antill - <james.antill@redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET,  SO_ATTACH_FILTER, ...);


[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH lazy audit

[Alexander Viro]

On Tue, Aug 01, 2006 at 11:45:58AM -0400, James Antill wrote:
> On Tue, 2006-08-01 at 11:22 -0400, Alexander Viro wrote:
> > 	Killing audit overhead in case when no rules are loaded.  More detailed
> > log (this is a composite of patch series from audit git tree, see audit.b23..
> > lspp.b23 in there for individual changesets):

*blushes*

braino fixed.

Re: [PATCH lazy audit

[Amy Griffis]

Alexander Viro wrote:  [Tue Aug 01 2006, 11:22:38AM EDT]
> 	Killing audit overhead in case when no rules are loaded.  More detailed
> log (this is a composite of patch series from audit git tree, see audit.b23..
> lspp.b23 in there for individual changesets):
> 
> [PATCH] introduce audit rules counter
> [PATCH] mark context of syscall entered with no rules as dummy
> [PATCH] don't bother with aux entires for dummy context
> [PATCH] take filling ->pid, etc. out of audit_get_context()
>     move that stuff downstream and into the only branch where it'll be
>     used.
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 0ab26cb..55a1312 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -159,7 +159,7 @@ char * getname(const char __user * filen
>  #ifdef CONFIG_AUDITSYSCALL
>  void putname(const char *name)
>  {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		audit_putname(name);
>  	else
>  		__putname(name);
> @@ -1125,7 +1125,7 @@ static int fastcall do_path_lookup(int d
>  	retval = link_path_walk(name, nd);
>  out:
>  	if (likely(retval == 0)) {
> -		if (unlikely(current->audit_context && nd && nd->dentry &&
> +		if (unlikely(!audit_dummy_context() && nd && nd->dentry &&
>  				nd->dentry->d_inode))
>  		audit_inode(name, nd->dentry->d_inode);
>  	}

Why the double call to audit_dummy_context()?  If false, we repeat the
call immediately in audit_inode().  I guess we were previously
checking current->audit_context twice, but I don't see any reason for
it.

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index bf196c0..d26060e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -329,23 +329,28 @@ extern void __audit_inode(const char *na
>  extern void __audit_inode_child(const char *dname, const struct inode *inode,
>  				const struct inode *parent);
>  extern void __audit_inode_update(const struct inode *inode);
> +static inline int audit_dummy_context(void)
> +{
> +	void *p = current->audit_context;
> +	return !p || *(int *)p;
> +}
>  static inline void audit_getname(const char *name)
>  {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_getname(name);
>  }
>  static inline void audit_inode(const char *name, const struct inode *inode) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode(name, inode);
>  }
>  static inline void audit_inode_child(const char *dname, 
>  				     const struct inode *inode,
>  				     const struct inode *parent) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode_child(dname, inode, parent);
>  }
>  static inline void audit_inode_update(const struct inode *inode) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode_update(inode);
>  }
>  
[...]