LSM: shrink sizeof LSM specific portion of common_audit_data

Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop.  This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union.  Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

2 files changed, 18 insertions, 6 deletions

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 2ad00657b80..ccba3823d9e 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -185,6 +185,15 @@ struct smack_known {
  */
 #define SMK_NUM_ACCESS_TYPE 5
 
+/* SMACK data */
+struct smack_audit_data {
+        const char *function;
+        char *subject;
+        char *object;
+        char *request;
+        int result;
+};
+
 /*
  * Smack audit data; is empty if CONFIG_AUDIT not set
  * to save some stack
@@ -192,6 +201,7 @@ struct smack_known {
 struct smk_audit_info {
 #ifdef CONFIG_AUDIT
         struct common_audit_data a;
+        struct smack_audit_data sad;
 #endif
 };
 /*
@@ -311,7 +321,8 @@ static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
 {
         memset(a, 0, sizeof(*a));
         a->a.type = type;
-        a->a.smack_audit_data.function = func;
+        a->a.smack_audit_data = &a->sad;
+        a->a.smack_audit_data->function = func;
 }
 
 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index cc7cb6edba0..2af7fcc98a7 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -275,9 +275,9 @@ static inline void smack_str_from_perm(char *string, int access)
 static void smack_log_callback(struct audit_buffer *ab, void *a)
 {
         struct common_audit_data *ad = a;
-        struct smack_audit_data *sad = &ad->smack_audit_data;
+        struct smack_audit_data *sad = ad->smack_audit_data;
         audit_log_format(ab, "lsm=SMACK fn=%s action=%s",
-                         ad->smack_audit_data.function,
+                         ad->smack_audit_data->function,
                          sad->result ? "denied" : "granted");
         audit_log_format(ab, " subject=");
         audit_log_untrustedstring(ab, sad->subject);
@@ -310,11 +310,12 @@ void smack_log(char *subject_label, char *object_label, int request,
         if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0)
                 return;
 
-        if (a->smack_audit_data.function == NULL)
-                a->smack_audit_data.function = "unknown";
+        sad = a->smack_audit_data;
+
+        if (sad->function == NULL)
+                sad->function = "unknown";
 
         /* end preparing the audit data */
-        sad = &a->smack_audit_data;
         smack_str_from_perm(request_buffer, request);
         sad->subject = subject_label;
         sad->object  = object_label;