From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: Re: [PATCH lazy audit
Date: Thu, 3 Aug 2006 14:56:13 -0400
Message-ID: <20060803185613.GA6038@dill.zko.hp.com>
References: <200608011522.k71FMcuq007786@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200608011522.k71FMcuq007786@devserv.devel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Alexander Viro <aviro@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Alexander Viro wrote:  [Tue Aug 01 2006, 11:22:38AM EDT]
> 	Killing audit overhead in case when no rules are loaded.  More detailed
> log (this is a composite of patch series from audit git tree, see audit.b23..
> lspp.b23 in there for individual changesets):
> 
> [PATCH] introduce audit rules counter
> [PATCH] mark context of syscall entered with no rules as dummy
> [PATCH] don't bother with aux entires for dummy context
> [PATCH] take filling ->pid, etc. out of audit_get_context()
>     move that stuff downstream and into the only branch where it'll be
>     used.
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 0ab26cb..55a1312 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -159,7 +159,7 @@ char * getname(const char __user * filen
>  #ifdef CONFIG_AUDITSYSCALL
>  void putname(const char *name)
>  {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		audit_putname(name);
>  	else
>  		__putname(name);
> @@ -1125,7 +1125,7 @@ static int fastcall do_path_lookup(int d
>  	retval = link_path_walk(name, nd);
>  out:
>  	if (likely(retval == 0)) {
> -		if (unlikely(current->audit_context && nd && nd->dentry &&
> +		if (unlikely(!audit_dummy_context() && nd && nd->dentry &&
>  				nd->dentry->d_inode))
>  		audit_inode(name, nd->dentry->d_inode);
>  	}

Why the double call to audit_dummy_context()?  If false, we repeat the
call immediately in audit_inode().  I guess we were previously
checking current->audit_context twice, but I don't see any reason for
it.

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index bf196c0..d26060e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -329,23 +329,28 @@ extern void __audit_inode(const char *na
>  extern void __audit_inode_child(const char *dname, const struct inode *inode,
>  				const struct inode *parent);
>  extern void __audit_inode_update(const struct inode *inode);
> +static inline int audit_dummy_context(void)
> +{
> +	void *p = current->audit_context;
> +	return !p || *(int *)p;
> +}
>  static inline void audit_getname(const char *name)
>  {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_getname(name);
>  }
>  static inline void audit_inode(const char *name, const struct inode *inode) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode(name, inode);
>  }
>  static inline void audit_inode_child(const char *dname, 
>  				     const struct inode *inode,
>  				     const struct inode *parent) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode_child(dname, inode, parent);
>  }
>  static inline void audit_inode_update(const struct inode *inode) {
> -	if (unlikely(current->audit_context))
> +	if (unlikely(!audit_dummy_context()))
>  		__audit_inode_update(inode);
>  }
>  
[...]