From: Amy Griffis <amy.griffis@hp.com>
To: Alexander Viro <aviro@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
Subject: Re: Watch Performance
Date: Mon, 24 Apr 2006 11:34:20 -0400 [thread overview]
Message-ID: <20060424153420.GA17807@zk3.dec.com> (raw)
In-Reply-To: <20060421160752.GE1727@devserv.devel.redhat.com>
Alexander Viro wrote: [Fri Apr 21 2006, 12:07:52PM EDT]
> On Fri, Apr 21, 2006 at 11:10:21AM -0400, Linda Knippers wrote:
> >
> > > Al, proposed a different solution. You might want to check with him for
> > > details. It was discussed at the Monday Telecon.
> >
> > Maybe Al could post something? With the buzz on the phone line some
> > of the discussion was hard to follow.
>
> Basically, add 3 families of rule lists. Rule that has one AUDIT_INODE
> or AUDIT_WATCH field and would currently sit in audit_filter_list[n]
> would be moved to audit_filter_list[AUDIT_NR_FILTERS + n * 31 + ino % 31]
> where ino is inode number from the AUDIT_INODE/AUDIT_WATCH field of that
> rule. Everything else would remain where it is now.
>
> If ->ino changes during the lifetime, rule would have to be moved between
> these lists.
>
> When we are trying to match context with rules on (current) list #n, we
> _know_ that many of them won't match just on the grounds of ->ino mismatch.
> With that splitting of lists we can skip most of those - rules from the
> current list #n will be on list #n and 31 lists starting with
> AUDIR_NR_FILTERS + 31*n. We only need to scan
> n (that's where non-watch rules remain)
> AUDIT_NR_FILTERS + 31*n + ctx->names[i].ino % 31 for each i less than
> ctx->name_count.
>
> Everything else is not going to match and doesn't have to be looked at.
While the per-syscall lists would be a good overall improvement to
audit filtering, this better solves the specific problem of many
inode-based rules.
Since inodes are only applicable to the syscall exit filter list, it
could be simplified to use a single inode-based hash, instead of one
for each filterlist (AUDIT_NR_FILTERS).
I'd be happy to add this functionality as a follow-on patch to the
filesystem auditing patch, if no one else is working on it.
Amy
next prev parent reply other threads:[~2006-04-24 15:34 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-08 16:21 Watch Performance Steve Grubb
2006-04-09 19:48 ` Steve Grubb
2006-04-11 13:12 ` Steve Grubb
2006-04-11 3:51 ` Amy Griffis
2006-04-11 10:26 ` Steve Grubb
2006-04-11 16:11 ` Amy Griffis
2006-04-11 21:01 ` Steve Grubb
2006-04-11 21:21 ` Linda Knippers
2006-04-12 21:15 ` Amy Griffis
2006-04-17 15:27 ` Timothy R. Chavez
2006-04-17 20:06 ` Klaus Weidner
2006-04-21 15:01 ` Amy Griffis
2006-04-21 15:13 ` Steve Grubb
2006-04-21 15:10 ` Linda Knippers
2006-04-21 16:07 ` Alexander Viro
2006-04-24 15:34 ` Amy Griffis [this message]
2006-05-10 15:32 ` Steve Grubb
2006-05-10 16:34 ` Alexander Viro
2006-05-10 19:23 ` Steve Grubb
2006-05-10 19:37 ` Alexander Viro
2006-05-10 19:51 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060424153420.GA17807@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=aviro@redhat.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox