Re: [PATCH 2/2] audit: shrink audit_krule by using smaller bitfields

[Richard Guy Briggs <rgb@redhat.com>]

On 14/12/23, Steve Grubb wrote:
> On Tuesday, December 23, 2014 01:20:15 PM Richard Guy Briggs wrote:
> > Replace five 32-bit fields with one.  Move a nearby 32-bit field to enable
> > 64-bit alignment.
> 
> Are there performance impacts from handling bit fields? The syscall audit rules 
> affect each syscall of each program running.

Quite possibly.  I honestly don't know.  I agree testing this could be
quite insightful.  Given the size of the mask field, this optimization
does seem minor.

> Also, setting bitfields so small kind of boxes in any future
> capability enhancements.

I don't see any problem there since there are 13 bits left over in the
reserved field from which we can pull should there be any future needs.
Since these are internal structures, enlarging them in the future should
present no special problems.  listnr is already limited to 4 bits by the
prepend flag value of 0x10 passed in with it.  field_count is already
taking 7 bits to represent 64 (rather than 6 bits for 63) so that one
could go to 127...  action still has one value left before needing
expansion.  flags could use the bottom 4 bits, but that seems
unnecessary since expanding it bitwidth is trivial.

> -Steve
> 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  include/linux/audit.h |   13 +++++++------
> >  1 files changed, 7 insertions(+), 6 deletions(-)
> > 
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index b481779..bd06f92 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -46,13 +46,14 @@ struct audit_tree;
> >  struct sk_buff;
> > 
> >  struct audit_krule {
> > -	u32			pflags;
> > -	u32			flags;
> > -	u32			listnr;
> > -	u32			action;
> > -	u32			mask[AUDIT_BITMASK_SIZE];
> > +	u32			listnr:4,
> > +				flags:5,
> > +				action:2,
> > +				pflags:1,
> > +				field_count:7,
> > +				reserved:13;
> >  	u32			buflen; /* for data alloc on list rules */
> > -	u32			field_count;
> > +	u32			mask[AUDIT_BITMASK_SIZE];
> >  	char			*filterkey; /* ties events to rules */
> >  	struct audit_field	*fields;
> >  	struct audit_field	*arch_f; /* quick access to arch field */
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545