diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-04 10:11:24 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-04 10:11:24 -0700 |
| commit | a5149bf3fed59b94207809704b5d06fec337a771 (patch) | |
| tree | 7a2f0297d35c962040bdd90981376c4b41c40c0f /include/linux | |
| parent | 3ff8f932bce11fc89e435acb30263a06cb8bd084 (diff) | |
| parent | b61c37f57988567c84359645f8202a7c84bc798a (diff) | |
Merge branch 'selinux' ("struct common_audit_data" sanitizer)
Merge common_audit_data cleanup patches from Eric Paris.
This is really too late, but it's a long-overdue cleanup of the costly
wrapper functions for the security layer.
The "struct common_audit_data" is used all over in critical paths,
allocated and initialized on the stack. And used to be much too large,
causing not only unnecessarily big stack frames but the clearing of the
(mostly useless) data was also very visible in profiles.
As a particular example, in one microbenchmark for just doing "stat()"
over files a lot, selinux_inode_permission() used 7% of the CPU time.
That's despite the fact that it doesn't actually *do* anything: it is
just a helper wrapper function in the selinux security layer.
This patch-series shrinks "struct common_audit_data" sufficiently that
code generation for these kinds of wrapper functions is improved
noticeably, and we spend much less time just initializing data that we
will never use.
The functions still get called all the time, and it still shows up at
3.5+% in my microbenchmark, but it's quite a bit lower down the list,
and much less noticeable.
* Emailed patches from Eric Paris <eparis@redhat.com>:
lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'
SELinux: do not allocate stack space for AVC data unless needed
SELinux: remove avd from slow_avc_audit()
SELinux: remove avd from selinux_audit_data
LSM: shrink the common_audit_data data union
LSM: shrink sizeof LSM specific portion of common_audit_data
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/lsm_audit.h | 96 |
1 files changed, 25 insertions, 71 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index eab507f2b1cb..fad48aab893b 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -22,6 +22,23 @@ #include <linux/key.h> #include <linux/skbuff.h> +struct lsm_network_audit { + int netif; + struct sock *sk; + u16 family; + __be16 dport; + __be16 sport; + union { + struct { + __be32 daddr; + __be32 saddr; + } v4; + struct { + struct in6_addr daddr; + struct in6_addr saddr; + } v6; + } fam; +}; /* Auxiliary data to use in generating the audit record. */ struct common_audit_data { @@ -41,23 +58,7 @@ struct common_audit_data { struct path path; struct dentry *dentry; struct inode *inode; - struct { - int netif; - struct sock *sk; - u16 family; - __be16 dport; - __be16 sport; - union { - struct { - __be32 daddr; - __be32 saddr; - } v4; - struct { - struct in6_addr daddr; - struct in6_addr saddr; - } v6; - } fam; - } net; + struct lsm_network_audit *net; int cap; int ipc_id; struct task_struct *tsk; @@ -72,64 +73,15 @@ struct common_audit_data { /* this union contains LSM specific data */ union { #ifdef CONFIG_SECURITY_SMACK - /* SMACK data */ - struct smack_audit_data { - const char *function; - char *subject; - char *object; - char *request; - int result; - } smack_audit_data; + struct smack_audit_data *smack_audit_data; #endif #ifdef CONFIG_SECURITY_SELINUX - /* SELinux data */ - struct { - u32 ssid; - u32 tsid; - u16 tclass; - u32 requested; - u32 audited; - u32 denied; - /* - * auditdeny is a bit tricky and unintuitive. See the - * comments in avc.c for it's meaning and usage. - */ - u32 auditdeny; - struct av_decision *avd; - int result; - } selinux_audit_data; + struct selinux_audit_data *selinux_audit_data; #endif #ifdef CONFIG_SECURITY_APPARMOR - struct { - int error; - int op; - int type; - void *profile; - const char *name; - const char *info; - union { - void *target; - struct { - long pos; - void *target; - } iface; - struct { - int rlim; - unsigned long max; - } rlim; - struct { - const char *target; - u32 request; - u32 denied; - uid_t ouid; - } fs; - }; - } apparmor_audit_data; + struct apparmor_audit_data *apparmor_audit_data; #endif - }; - /* these callback will be implemented by a specific LSM */ - void (*lsm_pre_audit)(struct audit_buffer *, void *); - void (*lsm_post_audit)(struct audit_buffer *, void *); + }; /* per LSM data pointer union */ }; #define v4info fam.v4 @@ -146,6 +98,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb, { memset((_d), 0, sizeof(struct common_audit_data)); \ (_d)->type = LSM_AUDIT_DATA_##_t; } -void common_lsm_audit(struct common_audit_data *a); +void common_lsm_audit(struct common_audit_data *a, + void (*pre_audit)(struct audit_buffer *, void *), + void (*post_audit)(struct audit_buffer *, void *)); #endif |