Audit issue
Alexander Viro
aviro at redhat.com
Thu Nov 8 14:56:51 UTC 2007
On Thu, Nov 08, 2007 at 09:47:40AM -0500, Steve Grubb wrote:
> On Thursday 08 November 2007 09:32:18 Alexander Viro wrote:
> > > Thanks for posting this patch. Is it impossible to "repair " processes by
> > > simply adding a context if the pointer is NULL?
> >
> > At which point would you do that?
>
> Possibly on syscall exit? Shouldn't the kernel have released all locks by that
> point? And what about syscall entry...isn't that before any locking starts to
> occur?
You do not get there unless you have ->audit_context != NULL. And if
you remove that check, you are in for more overhead.
> True, but I'm thinking this will cause performance to go down if the audit
> system was ever enabled. It doesn't look as bad as the audit system actually
> being on, but it may be doing unnecessary allocations I think.
*shrug*
Easy enough to test - boot with audit disabled, run benchmarks, enable
it, flush all caches (e.g. by memory pressure), rerun the benchmarks,
compare... I don't think it will be serious problem, but if it will
we can always look for trickier solutions.
More information about the Linux-audit
mailing list