Hello,
Attached is a patch against .88 kernel that should help performance. It
removes unconditional loads and changes a couple switch/case constructs to a
lookup & assignment.
There are other performance issues that need checking. In calls that hook the
file system, it is probably better to check that audit is enabled at the
point of the hook rather than in the function:
+++ linux-2.6.9~pre75/fs/attr.c
@@ -68,6 +69,8 @@
unsigned int ia_valid = attr->ia_valid;
int error = 0;
+ audit_notify_watch(inode, MAY_WRITE);
+
if (ia_valid & ATTR_SIZE) {
if (attr->ia_size != i_size_read(inode)) {
error = vmtruncate(inode, attr->ia_size);
+void audit_notify_watch(struct inode *inode, int mask)
+{
+ struct audit_inode_data *data;
+
+ if (likely(!audit_enabled))
+ return;
This means that the variables have to be pushed onto the stack, a call
performed, the enabled test, do a return instruction, and then pop the stack.
Its probably faster to do:
+ if (unlikely(audit_enabled))
+ audit_notify_watch(inode, MAY_WRITE);
+
Same thing with audit_syscall_entry & audit_syscall_exit.
NOTE: I am in no way advocating rolling a .89 release just for this.
-Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.9-speedup-more.patch
Type: text/x-diff
Size: 3184 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050908/78d5565b/attachment.bin>