diff options
author | Eric Paris <eparis@redhat.com> | 2012-04-03 09:37:02 -0700 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-03-11 01:10:39 +0100 |
commit | c33496b78350ebfab21240482c11572f955b60fb (patch) | |
tree | 1c992a21d9f61c244faf36d6e2b756354c177a4e /include | |
parent | e05fa3d03b6edf1e930ef3ab79b4bf0bc0db127f (diff) | |
download | kernel_samsung_tuna-c33496b78350ebfab21240482c11572f955b60fb.zip kernel_samsung_tuna-c33496b78350ebfab21240482c11572f955b60fb.tar.gz kernel_samsung_tuna-c33496b78350ebfab21240482c11572f955b60fb.tar.bz2 |
LSM: shrink sizeof LSM specific portion of common_audit_data
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
security/selinux/avc.c
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/lsm_audit.h | 54 |
1 files changed, 4 insertions, 50 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 65e2962..939d356 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -80,61 +80,15 @@ struct common_audit_data { /* this union contains LSM specific data */ union { #ifdef CONFIG_SECURITY_SMACK - /* SMACK data */ - struct smack_audit_data { - const char *function; - char *subject; - char *object; - char *request; - int result; - } smack_audit_data; + struct smack_audit_data *smack_audit_data; #endif #ifdef CONFIG_SECURITY_SELINUX - /* SELinux data */ - struct { - u32 ssid; - u32 tsid; - u16 tclass; - u32 requested; - u32 audited; - u32 denied; - /* - * auditdeny is a bit tricky and unintuitive. See the - * comments in avc.c for it's meaning and usage. - */ - u32 auditdeny; - struct av_decision *avd; - int result; - } selinux_audit_data; + struct selinux_audit_data *selinux_audit_data; #endif #ifdef CONFIG_SECURITY_APPARMOR - struct { - int error; - int op; - int type; - void *profile; - const char *name; - const char *info; - union { - void *target; - struct { - long pos; - void *target; - } iface; - struct { - int rlim; - unsigned long max; - } rlim; - struct { - const char *target; - u32 request; - u32 denied; - uid_t ouid; - } fs; - }; - } apparmor_audit_data; + struct apparmor_audit_data *apparmor_audit_data; #endif - }; + }; /* per LSM data pointer union */ /* these callback will be implemented by a specific LSM */ void (*lsm_pre_audit)(struct audit_buffer *, void *); void (*lsm_post_audit)(struct audit_buffer *, void *); |