audit.82 kernel
Steve Grubb
sgrubb at redhat.com
Sat Jul 30 12:54:18 UTC 2005
On Saturday 30 July 2005 02:49, David Woodhouse wrote:
> Profiling showed up a couple more bottlenecks
I just ran the same test and we have made a lot of progress in speeding things
up when there are no rules loaded. The test checks disk access with audit
enabled and disabled.
This is the current numbers -
DISABLED:
real 0m32.591s
user 0m2.336s
sys 0m30.239s
ENABLED:
real 0m38.829s
user 0m2.036s
sys 0m36.792s
Yesterday, enabled real time was 46s. So, this is a big improvement. Here's
the current bottlenecks:
36103 total 0.0170
2552 audit_data_get 4.2604
1568 avc_lookup 8.9600
1482 inode_has_perm 17.6429
1239 audit_syscall_exit 1.0098
1207 __might_sleep 8.8102
1016 path_lookup 3.2880
858 dput 0.8102
818 audit_notify_watch 9.6235
The patch didn't do anything for audit_data_get and that is now showing up as
our current problem. Is there any chance of using a different lock scheme
that is lightweight for readers and heavier for writers? I feel that if we
can do something for this function, we've got the performance issues solved
for people that aren't using the audit system.
> I'm _fairly_ sure the removal of audit_zero_context() is OK.
Kris, this new kernel needs thorough testing so we can spot any regressions.
David, my patch differed a little from the one sent to the mail list:
@@ -1052,24 +1055,27 @@ void audit_syscall_exit(struct task_stru
<snip>
- context->in_syscall = 0;
- context->auditable = 0;
-
if (context->previous) {
struct audit_context *new_context = context->previous;
context->previous = NULL;
audit_free_context(context);
tsk->audit_context = new_context;
} else {
+ context->in_syscall = 0;
+ context->auditable = 0;
audit_free_names(context);
audit_free_aux(context);
This moves the unconditional zeroing into the path that keeps the context.
-Steve
More information about the Linux-audit
mailing list