Re: [PATCH] audit: speedup for syscalls when auditing is disabled
----- "Eric Paris" <eparis(a)redhat.com> wrote:
Add a new spot in the assembly which will call a function which will
check if audit_n_rules > 0 and if so will set TIF_SYSCALL_AUDIT and if
not will clear TIF_SYSCALL_AUDIT? It might make things slightly worse
on systems which explictly disable audit and the flag would always be
clear on every task (like you did with the explicit rule) but I'm
guessing might be a win on systems with no rules which are wasting time
on the audit slow path.....
Is "audit_n_rules" a specific enough trigger?
Right now, even if there are no rules configured at all, audit_log_start() while
processing a syscall will mark that syscall for auditing, and all collected information
about the syscall will be logged at syscall exit.
Would the suggested change break this behavior?
Mirek