aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-04-04 13:11:24 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-04-04 13:11:24 -0400
commita5149bf3fed59b94207809704b5d06fec337a771 (patch)
tree7a2f0297d35c962040bdd90981376c4b41c40c0f /include/linux
parent3ff8f932bce11fc89e435acb30263a06cb8bd084 (diff)
parentb61c37f57988567c84359645f8202a7c84bc798a (diff)
Merge branch 'selinux' ("struct common_audit_data" sanitizer)
Merge common_audit_data cleanup patches from Eric Paris. This is really too late, but it's a long-overdue cleanup of the costly wrapper functions for the security layer. The "struct common_audit_data" is used all over in critical paths, allocated and initialized on the stack. And used to be much too large, causing not only unnecessarily big stack frames but the clearing of the (mostly useless) data was also very visible in profiles. As a particular example, in one microbenchmark for just doing "stat()" over files a lot, selinux_inode_permission() used 7% of the CPU time. That's despite the fact that it doesn't actually *do* anything: it is just a helper wrapper function in the selinux security layer. This patch-series shrinks "struct common_audit_data" sufficiently that code generation for these kinds of wrapper functions is improved noticeably, and we spend much less time just initializing data that we will never use. The functions still get called all the time, and it still shows up at 3.5+% in my microbenchmark, but it's quite a bit lower down the list, and much less noticeable. * Emailed patches from Eric Paris <eparis@redhat.com>: lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data' SELinux: do not allocate stack space for AVC data unless needed SELinux: remove avd from slow_avc_audit() SELinux: remove avd from selinux_audit_data LSM: shrink the common_audit_data data union LSM: shrink sizeof LSM specific portion of common_audit_data
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/lsm_audit.h96
1 files changed, 25 insertions, 71 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index eab507f2b1cb..fad48aab893b 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -22,6 +22,23 @@
22#include <linux/key.h> 22#include <linux/key.h>
23#include <linux/skbuff.h> 23#include <linux/skbuff.h>
24 24
25struct lsm_network_audit {
26 int netif;
27 struct sock *sk;
28 u16 family;
29 __be16 dport;
30 __be16 sport;
31 union {
32 struct {
33 __be32 daddr;
34 __be32 saddr;
35 } v4;
36 struct {
37 struct in6_addr daddr;
38 struct in6_addr saddr;
39 } v6;
40 } fam;
41};
25 42
26/* Auxiliary data to use in generating the audit record. */ 43/* Auxiliary data to use in generating the audit record. */
27struct common_audit_data { 44struct common_audit_data {
@@ -41,23 +58,7 @@ struct common_audit_data {
41 struct path path; 58 struct path path;
42 struct dentry *dentry; 59 struct dentry *dentry;
43 struct inode *inode; 60 struct inode *inode;
44 struct { 61 struct lsm_network_audit *net;
45 int netif;
46 struct sock *sk;
47 u16 family;
48 __be16 dport;
49 __be16 sport;
50 union {
51 struct {
52 __be32 daddr;
53 __be32 saddr;
54 } v4;
55 struct {
56 struct in6_addr daddr;
57 struct in6_addr saddr;
58 } v6;
59 } fam;
60 } net;
61 int cap; 62 int cap;
62 int ipc_id; 63 int ipc_id;
63 struct task_struct *tsk; 64 struct task_struct *tsk;
@@ -72,64 +73,15 @@ struct common_audit_data {
72 /* this union contains LSM specific data */ 73 /* this union contains LSM specific data */
73 union { 74 union {
74#ifdef CONFIG_SECURITY_SMACK 75#ifdef CONFIG_SECURITY_SMACK
75 /* SMACK data */ 76 struct smack_audit_data *smack_audit_data;
76 struct smack_audit_data {
77 const char *function;
78 char *subject;
79 char *object;
80 char *request;
81 int result;
82 } smack_audit_data;
83#endif 77#endif
84#ifdef CONFIG_SECURITY_SELINUX 78#ifdef CONFIG_SECURITY_SELINUX
85 /* SELinux data */ 79 struct selinux_audit_data *selinux_audit_data;
86 struct {
87 u32 ssid;
88 u32 tsid;
89 u16 tclass;
90 u32 requested;
91 u32 audited;
92 u32 denied;
93 /*
94 * auditdeny is a bit tricky and unintuitive. See the
95 * comments in avc.c for it's meaning and usage.
96 */
97 u32 auditdeny;
98 struct av_decision *avd;
99 int result;
100 } selinux_audit_data;
101#endif 80#endif
102#ifdef CONFIG_SECURITY_APPARMOR 81#ifdef CONFIG_SECURITY_APPARMOR
103 struct { 82 struct apparmor_audit_data *apparmor_audit_data;
104 int error;
105 int op;
106 int type;
107 void *profile;
108 const char *name;
109 const char *info;
110 union {
111 void *target;
112 struct {
113 long pos;
114 void *target;
115 } iface;
116 struct {
117 int rlim;
118 unsigned long max;
119 } rlim;
120 struct {
121 const char *target;
122 u32 request;
123 u32 denied;
124 uid_t ouid;
125 } fs;
126 };
127 } apparmor_audit_data;
128#endif 83#endif
129 }; 84 }; /* per LSM data pointer union */
130 /* these callback will be implemented by a specific LSM */
131 void (*lsm_pre_audit)(struct audit_buffer *, void *);
132 void (*lsm_post_audit)(struct audit_buffer *, void *);
133}; 85};
134 86
135#define v4info fam.v4 87#define v4info fam.v4
@@ -146,6 +98,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
146 { memset((_d), 0, sizeof(struct common_audit_data)); \ 98 { memset((_d), 0, sizeof(struct common_audit_data)); \
147 (_d)->type = LSM_AUDIT_DATA_##_t; } 99 (_d)->type = LSM_AUDIT_DATA_##_t; }
148 100
149void common_lsm_audit(struct common_audit_data *a); 101void common_lsm_audit(struct common_audit_data *a,
102 void (*pre_audit)(struct audit_buffer *, void *),
103 void (*post_audit)(struct audit_buffer *, void *));
150 104
151#endif 105#endif
generated by cgit v1.2.2 (git 2.25.0) at 2026-02-02 23:11:02 -0500