Re: [PATCH] audit: Only use the syscall slowpath when syscall audit rules exist
On Mon, Feb 3, 2014 at 12:23 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, February 03, 2014 09:53:23 AM Andy Lutomirski wrote:
> This toggles TIF_SYSCALL_AUDIT as needed when rules change instead of
> leaving it set whenever rules might be set in the future. This reduces
> syscall latency from >60ns to closer to 40ns on my laptop.
Does this mean that we have processes that don't have the TIF_SYSCALL_AUDIT
flag set? When rules get loaded, how do we get the flag put back into all
processes?
By looping over all processes and setting the flag, which is what my patch does.
The theory of ops is supposed to be that for anyone not needing audit, there
is only the cost of "if (tif & TIF_SYSCALL_AUDIT)".
On current kernels *all* processes have TIF_SYSCALL_AUDIT, even if
they don't need auditing because there's nothing to audit. So
everything pays the full cost.
That should be it. If you
have audit enabled or had it enabled (which means it might be loaded with new
rules), we want to inspect the syscall.
My point is that there's nothing to inspect -- there are no rules.
Unless the audit code needs to do something just in case a non-syscall
audit event gets written, in which case the audit code should IMO be
fixed. (This is what Eric is talking about, I think.)
--Andy