lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhSM9Pfe-HEHh0zGK473d=sWAEvoAxYVWVmsTos=EqqQOg@mail.gmail.com>
Date:   Fri, 14 Apr 2023 10:44:40 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Eiichi Tsukata <eiichi.tsukata@...anix.com>
Cc:     eparis@...hat.com, linux-kernel@...r.kernel.org,
        audit@...r.kernel.org
Subject: Re: [PATCH] audit: use pid.is_auditd to make auditd_test_task() faster

On Thu, Apr 13, 2023 at 11:14 PM Eiichi Tsukata
<eiichi.tsukata@...anix.com> wrote:
>
> auditd_test_task() is a hot path of system call auditing. This patch
> introduces a new bit field "is_auditd" in pid struct which can be used
> for faster check of registered audit daemon.
>
> Benchmark
> =========
>
> Run the following command:
>
>   dd if=/dev/zero of=/dev/null bs=1 count=5M
>
> With rule:
>
>   -a never,exit -F arch=b64 -S uname
>
> Result:
>
>   Base line    : 2.572 sec
>   /w this patch: 2.412 sec (6.6% faster)
>
> Signed-off-by: Eiichi Tsukata <eiichi.tsukata@...anix.com>
> ---
>  include/linux/pid.h |  4 ++++
>  kernel/audit.c      | 22 ++--------------------
>  kernel/audit.h      |  3 ++-
>  kernel/pid.c        |  3 +++
>  4 files changed, 11 insertions(+), 21 deletions(-)
>
> diff --git a/include/linux/pid.h b/include/linux/pid.h
> index 343abf22092e..5fe38e254c9a 100644
> --- a/include/linux/pid.h
> +++ b/include/linux/pid.h
> @@ -68,6 +68,10 @@ struct pid
>         wait_queue_head_t wait_pidfd;
>         struct rcu_head rcu;
>         struct upid numbers[1];
> +#ifdef CONFIG_AUDIT
> +       /* registered audit daemon tgid */
> +       unsigned is_auditd:1;
> +#endif
>  };

Thank you for the patch, but I don't think we want to add an audit
specific field to the pid struct at this time.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ