diff options
| author | Eric Paris <eparis@redhat.com> | 2012-04-03 12:37:02 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-03 12:48:40 -0400 |
| commit | 3b3b0e4fc15efa507b902d90cea39e496a523c3b (patch) | |
| tree | d7b91c21ad6c6f4ac21dd51297b74eec47c61684 /include | |
| parent | 95694129b43165911dc4e8a972f0d39ad98d86be (diff) | |
LSM: shrink sizeof LSM specific portion of common_audit_data
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/lsm_audit.h | 54 |
1 files changed, 4 insertions, 50 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index eab507f2b1cb..6f4fb37aac88 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h | |||
| @@ -72,61 +72,15 @@ struct common_audit_data { | |||
| 72 | /* this union contains LSM specific data */ | 72 | /* this union contains LSM specific data */ |
| 73 | union { | 73 | union { |
| 74 | #ifdef CONFIG_SECURITY_SMACK | 74 | #ifdef CONFIG_SECURITY_SMACK |
| 75 | /* SMACK data */ | 75 | struct smack_audit_data *smack_audit_data; |
| 76 | struct smack_audit_data { | ||
| 77 | const char *function; | ||
| 78 | char *subject; | ||
| 79 | char *object; | ||
| 80 | char *request; | ||
| 81 | int result; | ||
| 82 | } smack_audit_data; | ||
| 83 | #endif | 76 | #endif |
| 84 | #ifdef CONFIG_SECURITY_SELINUX | 77 | #ifdef CONFIG_SECURITY_SELINUX |
| 85 | /* SELinux data */ | 78 | struct selinux_audit_data *selinux_audit_data; |
| 86 | struct { | ||
| 87 | u32 ssid; | ||
| 88 | u32 tsid; | ||
| 89 | u16 tclass; | ||
| 90 | u32 requested; | ||
| 91 | u32 audited; | ||
| 92 | u32 denied; | ||
| 93 | /* | ||
| 94 | * auditdeny is a bit tricky and unintuitive. See the | ||
| 95 | * comments in avc.c for it's meaning and usage. | ||
| 96 | */ | ||
| 97 | u32 auditdeny; | ||
| 98 | struct av_decision *avd; | ||
| 99 | int result; | ||
| 100 | } selinux_audit_data; | ||
| 101 | #endif | 79 | #endif |
| 102 | #ifdef CONFIG_SECURITY_APPARMOR | 80 | #ifdef CONFIG_SECURITY_APPARMOR |
| 103 | struct { | 81 | struct apparmor_audit_data *apparmor_audit_data; |
| 104 | int error; | ||
| 105 | int op; | ||
| 106 | int type; | ||
| 107 | void *profile; | ||
| 108 | const char *name; | ||
| 109 | const char *info; | ||
| 110 | union { | ||
| 111 | void *target; | ||
| 112 | struct { | ||
| 113 | long pos; | ||
| 114 | void *target; | ||
| 115 | } iface; | ||
| 116 | struct { | ||
| 117 | int rlim; | ||
| 118 | unsigned long max; | ||
| 119 | } rlim; | ||
| 120 | struct { | ||
| 121 | const char *target; | ||
| 122 | u32 request; | ||
| 123 | u32 denied; | ||
| 124 | uid_t ouid; | ||
| 125 | } fs; | ||
| 126 | }; | ||
| 127 | } apparmor_audit_data; | ||
| 128 | #endif | 82 | #endif |
| 129 | }; | 83 | }; /* per LSM data pointer union */ |
| 130 | /* these callback will be implemented by a specific LSM */ | 84 | /* these callback will be implemented by a specific LSM */ |
| 131 | void (*lsm_pre_audit)(struct audit_buffer *, void *); | 85 | void (*lsm_pre_audit)(struct audit_buffer *, void *); |
| 132 | void (*lsm_post_audit)(struct audit_buffer *, void *); | 86 | void (*lsm_post_audit)(struct audit_buffer *, void *); |