diff options
| author | Eric Paris <eparis@redhat.com> | 2012-04-03 12:37:02 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-03 12:48:40 -0400 |
| commit | 3b3b0e4fc15efa507b902d90cea39e496a523c3b (patch) | |
| tree | d7b91c21ad6c6f4ac21dd51297b74eec47c61684 /security/apparmor/audit.c | |
| parent | 95694129b43165911dc4e8a972f0d39ad98d86be (diff) | |
LSM: shrink sizeof LSM specific portion of common_audit_data
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/apparmor/audit.c')
| -rw-r--r-- | security/apparmor/audit.c | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 5ff67776a5ad..23f7eb658d9c 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c | |||
| @@ -115,23 +115,23 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 115 | 115 | ||
| 116 | if (aa_g_audit_header) { | 116 | if (aa_g_audit_header) { |
| 117 | audit_log_format(ab, "apparmor="); | 117 | audit_log_format(ab, "apparmor="); |
| 118 | audit_log_string(ab, aa_audit_type[sa->aad.type]); | 118 | audit_log_string(ab, aa_audit_type[sa->aad->type]); |
| 119 | } | 119 | } |
| 120 | 120 | ||
| 121 | if (sa->aad.op) { | 121 | if (sa->aad->op) { |
| 122 | audit_log_format(ab, " operation="); | 122 | audit_log_format(ab, " operation="); |
| 123 | audit_log_string(ab, op_table[sa->aad.op]); | 123 | audit_log_string(ab, op_table[sa->aad->op]); |
| 124 | } | 124 | } |
| 125 | 125 | ||
| 126 | if (sa->aad.info) { | 126 | if (sa->aad->info) { |
| 127 | audit_log_format(ab, " info="); | 127 | audit_log_format(ab, " info="); |
| 128 | audit_log_string(ab, sa->aad.info); | 128 | audit_log_string(ab, sa->aad->info); |
| 129 | if (sa->aad.error) | 129 | if (sa->aad->error) |
| 130 | audit_log_format(ab, " error=%d", sa->aad.error); | 130 | audit_log_format(ab, " error=%d", sa->aad->error); |
| 131 | } | 131 | } |
| 132 | 132 | ||
| 133 | if (sa->aad.profile) { | 133 | if (sa->aad->profile) { |
| 134 | struct aa_profile *profile = sa->aad.profile; | 134 | struct aa_profile *profile = sa->aad->profile; |
| 135 | pid_t pid; | 135 | pid_t pid; |
| 136 | rcu_read_lock(); | 136 | rcu_read_lock(); |
| 137 | pid = rcu_dereference(tsk->real_parent)->pid; | 137 | pid = rcu_dereference(tsk->real_parent)->pid; |
| @@ -145,9 +145,9 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 145 | audit_log_untrustedstring(ab, profile->base.hname); | 145 | audit_log_untrustedstring(ab, profile->base.hname); |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | if (sa->aad.name) { | 148 | if (sa->aad->name) { |
| 149 | audit_log_format(ab, " name="); | 149 | audit_log_format(ab, " name="); |
| 150 | audit_log_untrustedstring(ab, sa->aad.name); | 150 | audit_log_untrustedstring(ab, sa->aad->name); |
| 151 | } | 151 | } |
| 152 | } | 152 | } |
| 153 | 153 | ||
| @@ -159,7 +159,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 159 | void aa_audit_msg(int type, struct common_audit_data *sa, | 159 | void aa_audit_msg(int type, struct common_audit_data *sa, |
| 160 | void (*cb) (struct audit_buffer *, void *)) | 160 | void (*cb) (struct audit_buffer *, void *)) |
| 161 | { | 161 | { |
| 162 | sa->aad.type = type; | 162 | sa->aad->type = type; |
| 163 | sa->lsm_pre_audit = audit_pre; | 163 | sa->lsm_pre_audit = audit_pre; |
| 164 | sa->lsm_post_audit = cb; | 164 | sa->lsm_post_audit = cb; |
| 165 | common_lsm_audit(sa); | 165 | common_lsm_audit(sa); |
| @@ -184,7 +184,7 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, | |||
| 184 | BUG_ON(!profile); | 184 | BUG_ON(!profile); |
| 185 | 185 | ||
| 186 | if (type == AUDIT_APPARMOR_AUTO) { | 186 | if (type == AUDIT_APPARMOR_AUTO) { |
| 187 | if (likely(!sa->aad.error)) { | 187 | if (likely(!sa->aad->error)) { |
| 188 | if (AUDIT_MODE(profile) != AUDIT_ALL) | 188 | if (AUDIT_MODE(profile) != AUDIT_ALL) |
| 189 | return 0; | 189 | return 0; |
| 190 | type = AUDIT_APPARMOR_AUDIT; | 190 | type = AUDIT_APPARMOR_AUDIT; |
| @@ -196,21 +196,21 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, | |||
| 196 | if (AUDIT_MODE(profile) == AUDIT_QUIET || | 196 | if (AUDIT_MODE(profile) == AUDIT_QUIET || |
| 197 | (type == AUDIT_APPARMOR_DENIED && | 197 | (type == AUDIT_APPARMOR_DENIED && |
| 198 | AUDIT_MODE(profile) == AUDIT_QUIET)) | 198 | AUDIT_MODE(profile) == AUDIT_QUIET)) |
| 199 | return sa->aad.error; | 199 | return sa->aad->error; |
| 200 | 200 | ||
| 201 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) | 201 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) |
| 202 | type = AUDIT_APPARMOR_KILL; | 202 | type = AUDIT_APPARMOR_KILL; |
| 203 | 203 | ||
| 204 | if (!unconfined(profile)) | 204 | if (!unconfined(profile)) |
| 205 | sa->aad.profile = profile; | 205 | sa->aad->profile = profile; |
| 206 | 206 | ||
| 207 | aa_audit_msg(type, sa, cb); | 207 | aa_audit_msg(type, sa, cb); |
| 208 | 208 | ||
| 209 | if (sa->aad.type == AUDIT_APPARMOR_KILL) | 209 | if (sa->aad->type == AUDIT_APPARMOR_KILL) |
| 210 | (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); | 210 | (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); |
| 211 | 211 | ||
| 212 | if (sa->aad.type == AUDIT_APPARMOR_ALLOWED) | 212 | if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) |
| 213 | return complain_error(sa->aad.error); | 213 | return complain_error(sa->aad->error); |
| 214 | 214 | ||
| 215 | return sa->aad.error; | 215 | return sa->aad->error; |
| 216 | } | 216 | } |