diff options
author | Steve Grubb <sgrubb@redhat.com> | 2006-04-03 14:06:13 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-05-01 06:09:53 -0400 |
commit | 1b50eed9cac0e8e5e4d3a522d8aa267f7f8f8acb (patch) | |
tree | c66a1c3be846e34f1aac5db640b7ccb8770e8a80 /kernel | |
parent | 3dc7e3153eddfcf7ba8b50628775ba516e5f759f (diff) |
[PATCH] audit inode patch
Previously, we were gathering the context instead of the sid. Now in this patch,
we gather just the sid and convert to context only if an audit event is being
output.
This patch brings the performance hit from 146% down to 23%
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/auditsc.c | 53 |
1 files changed, 16 insertions, 37 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d3d97d28b69a..2e123a8a0d60 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -90,7 +90,7 @@ struct audit_names { | |||
90 | uid_t uid; | 90 | uid_t uid; |
91 | gid_t gid; | 91 | gid_t gid; |
92 | dev_t rdev; | 92 | dev_t rdev; |
93 | char *ctx; | 93 | u32 osid; |
94 | }; | 94 | }; |
95 | 95 | ||
96 | struct audit_aux_data { | 96 | struct audit_aux_data { |
@@ -410,9 +410,6 @@ static inline void audit_free_names(struct audit_context *context) | |||
410 | #endif | 410 | #endif |
411 | 411 | ||
412 | for (i = 0; i < context->name_count; i++) { | 412 | for (i = 0; i < context->name_count; i++) { |
413 | char *p = context->names[i].ctx; | ||
414 | context->names[i].ctx = NULL; | ||
415 | kfree(p); | ||
416 | if (context->names[i].name) | 413 | if (context->names[i].name) |
417 | __putname(context->names[i].name); | 414 | __putname(context->names[i].name); |
418 | } | 415 | } |
@@ -674,6 +671,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
674 | } | 671 | } |
675 | } | 672 | } |
676 | for (i = 0; i < context->name_count; i++) { | 673 | for (i = 0; i < context->name_count; i++) { |
674 | int call_panic = 0; | ||
677 | unsigned long ino = context->names[i].ino; | 675 | unsigned long ino = context->names[i].ino; |
678 | unsigned long pino = context->names[i].pino; | 676 | unsigned long pino = context->names[i].pino; |
679 | 677 | ||
@@ -703,12 +701,22 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
703 | context->names[i].gid, | 701 | context->names[i].gid, |
704 | MAJOR(context->names[i].rdev), | 702 | MAJOR(context->names[i].rdev), |
705 | MINOR(context->names[i].rdev)); | 703 | MINOR(context->names[i].rdev)); |
706 | if (context->names[i].ctx) { | 704 | if (context->names[i].osid != 0) { |
707 | audit_log_format(ab, " obj=%s", | 705 | char *ctx = NULL; |
708 | context->names[i].ctx); | 706 | u32 len; |
707 | if (selinux_ctxid_to_string( | ||
708 | context->names[i].osid, &ctx, &len)) { | ||
709 | audit_log_format(ab, " obj=%u", | ||
710 | context->names[i].osid); | ||
711 | call_panic = 1; | ||
712 | } else | ||
713 | audit_log_format(ab, " obj=%s", ctx); | ||
714 | kfree(ctx); | ||
709 | } | 715 | } |
710 | 716 | ||
711 | audit_log_end(ab); | 717 | audit_log_end(ab); |
718 | if (call_panic) | ||
719 | audit_panic("error converting sid to string"); | ||
712 | } | 720 | } |
713 | } | 721 | } |
714 | 722 | ||
@@ -946,37 +954,8 @@ void audit_putname(const char *name) | |||
946 | void audit_inode_context(int idx, const struct inode *inode) | 954 | void audit_inode_context(int idx, const struct inode *inode) |
947 | { | 955 | { |
948 | struct audit_context *context = current->audit_context; | 956 | struct audit_context *context = current->audit_context; |
949 | const char *suffix = security_inode_xattr_getsuffix(); | ||
950 | char *ctx = NULL; | ||
951 | int len = 0; | ||
952 | |||
953 | if (!suffix) | ||
954 | goto ret; | ||
955 | |||
956 | len = security_inode_getsecurity(inode, suffix, NULL, 0, 0); | ||
957 | if (len == -EOPNOTSUPP) | ||
958 | goto ret; | ||
959 | if (len < 0) | ||
960 | goto error_path; | ||
961 | |||
962 | ctx = kmalloc(len, GFP_KERNEL); | ||
963 | if (!ctx) | ||
964 | goto error_path; | ||
965 | |||
966 | len = security_inode_getsecurity(inode, suffix, ctx, len, 0); | ||
967 | if (len < 0) | ||
968 | goto error_path; | ||
969 | |||
970 | kfree(context->names[idx].ctx); | ||
971 | context->names[idx].ctx = ctx; | ||
972 | goto ret; | ||
973 | 957 | ||
974 | error_path: | 958 | selinux_get_inode_sid(inode, &context->names[idx].osid); |
975 | if (ctx) | ||
976 | kfree(ctx); | ||
977 | audit_panic("error in audit_inode_context"); | ||
978 | ret: | ||
979 | return; | ||
980 | } | 959 | } |
981 | 960 | ||
982 | 961 | ||