From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: Re: Watch Performance
Date: Mon, 24 Apr 2006 11:34:20 -0400
Message-ID: <20060424153420.GA17807@zk3.dec.com>
References: <200604081221.58080.sgrubb@redhat.com>
	<20060417200656.GA31654@w-m-p.com>
	<20060421150104.GA32595@zk3.dec.com>
	<200604211113.36940.sgrubb@redhat.com> <4448F5DD.90603@hp.com>
	<20060421160752.GE1727@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <20060421160752.GE1727@devserv.devel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Alexander Viro <aviro@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Alexander Viro wrote:     [Fri Apr 21 2006, 12:07:52PM EDT]
> On Fri, Apr 21, 2006 at 11:10:21AM -0400, Linda Knippers wrote:
> > 
> > > Al, proposed a different solution. You might want to check with him for 
> > > details. It was discussed at the Monday Telecon.
> > 
> > Maybe Al could post something?  With the buzz on the phone line some
> > of the discussion was hard to follow.
> 
> Basically, add 3 families of rule lists.  Rule that has one AUDIT_INODE
> or AUDIT_WATCH field and would currently sit in audit_filter_list[n]
> would be moved to audit_filter_list[AUDIT_NR_FILTERS + n * 31 + ino % 31]
> where ino is inode number from the AUDIT_INODE/AUDIT_WATCH field of that
> rule.  Everything else would remain where it is now.
> 
> If ->ino changes during the lifetime, rule would have to be moved between
> these lists.
> 
> When we are trying to match context with rules on (current) list #n, we
> _know_ that many of them won't match just on the grounds of ->ino mismatch.
> With that splitting of lists we can skip most of those - rules from the
> current list #n will be on list #n and 31 lists starting with
> AUDIR_NR_FILTERS + 31*n.  We only need to scan
> 	n (that's where non-watch rules remain)
> 	AUDIT_NR_FILTERS + 31*n + ctx->names[i].ino % 31 for each i less than
> ctx->name_count.
> 
> Everything else is not going to match and doesn't have to be looked at.

While the per-syscall lists would be a good overall improvement to
audit filtering, this better solves the specific problem of many
inode-based rules.

Since inodes are only applicable to the syscall exit filter list, it
could be simplified to use a single inode-based hash, instead of one
for each filterlist (AUDIT_NR_FILTERS).

I'd be happy to add this functionality as a follow-on patch to the
filesystem auditing patch, if no one else is working on it.

Amy