diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-04 19:11:24 +0200 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-04 19:11:24 +0200 |
| commit | a5149bf3fed59b94207809704b5d06fec337a771 (patch) | |
| tree | 7a2f0297d35c962040bdd90981376c4b41c40c0f /security/apparmor/ipc.c | |
| parent | Merge tag 'regmap-3.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broon... (diff) | |
| parent | lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit... (diff) | |
| download | linux-a5149bf3fed59b94207809704b5d06fec337a771.tar.xz linux-a5149bf3fed59b94207809704b5d06fec337a771.zip | |
Merge branch 'selinux' ("struct common_audit_data" sanitizer)
Merge common_audit_data cleanup patches from Eric Paris.
This is really too late, but it's a long-overdue cleanup of the costly
wrapper functions for the security layer.
The "struct common_audit_data" is used all over in critical paths,
allocated and initialized on the stack. And used to be much too large,
causing not only unnecessarily big stack frames but the clearing of the
(mostly useless) data was also very visible in profiles.
As a particular example, in one microbenchmark for just doing "stat()"
over files a lot, selinux_inode_permission() used 7% of the CPU time.
That's despite the fact that it doesn't actually *do* anything: it is
just a helper wrapper function in the selinux security layer.
This patch-series shrinks "struct common_audit_data" sufficiently that
code generation for these kinds of wrapper functions is improved
noticeably, and we spend much less time just initializing data that we
will never use.
The functions still get called all the time, and it still shows up at
3.5+% in my microbenchmark, but it's quite a bit lower down the list,
and much less noticeable.
* Emailed patches from Eric Paris <eparis@redhat.com>:
lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'
SELinux: do not allocate stack space for AVC data unless needed
SELinux: remove avd from slow_avc_audit()
SELinux: remove avd from selinux_audit_data
LSM: shrink the common_audit_data data union
LSM: shrink sizeof LSM specific portion of common_audit_data
Diffstat (limited to 'security/apparmor/ipc.c')
| -rw-r--r-- | security/apparmor/ipc.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 7ee05c6f3c64..c3da93a5150d 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -26,7 +26,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; audit_log_format(ab, " target="); - audit_log_untrustedstring(ab, sa->aad.target); + audit_log_untrustedstring(ab, sa->aad->target); } /** @@ -41,10 +41,12 @@ static int aa_audit_ptrace(struct aa_profile *profile, struct aa_profile *target, int error) { struct common_audit_data sa; + struct apparmor_audit_data aad = {0,}; COMMON_AUDIT_DATA_INIT(&sa, NONE); - sa.aad.op = OP_PTRACE; - sa.aad.target = target; - sa.aad.error = error; + sa.aad = &aad; + aad.op = OP_PTRACE; + aad.target = target; + aad.error = error; return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa, audit_cb); |