Hi Jason,
On Mon, Mar 06, 2006 at 10:32:01AM -0500, Jason Baron wrote:
Patch is below. The idea behind this patch is based on a suggestion
from
Steve Grubb to not call 'audit_syscall_entry' and 'audit_syscall_exit' if
there are no audit rules loaded. This is problematic for the case where
audit_log() is called in the middle of a system call (since we don't have
the entry parameters). We address this issue by creating a partial system
call record for this case, which contains the system call data that is
available at exit time. The patch shows a 30% performance increase for the
case where no rules are loaded on testing system calls in a tight loop.
For your baseline measurement, was syscall auditing enabled or
disabled?
Thanks,
Amy