[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-audit
Subject: Re: Watch Performance
From: Amy Griffis <amy.griffis () hp ! com>
Date: 2006-04-24 15:34:20
Message-ID: 20060424153420.GA17807 () zk3 ! dec ! com
[Download RAW message or body]
Alexander Viro wrote: [Fri Apr 21 2006, 12:07:52PM EDT]
> On Fri, Apr 21, 2006 at 11:10:21AM -0400, Linda Knippers wrote:
> >
> > > Al, proposed a different solution. You might want to check with him for
> > > details. It was discussed at the Monday Telecon.
> >
> > Maybe Al could post something? With the buzz on the phone line some
> > of the discussion was hard to follow.
>
> Basically, add 3 families of rule lists. Rule that has one AUDIT_INODE
> or AUDIT_WATCH field and would currently sit in audit_filter_list[n]
> would be moved to audit_filter_list[AUDIT_NR_FILTERS + n * 31 + ino % 31]
> where ino is inode number from the AUDIT_INODE/AUDIT_WATCH field of that
> rule. Everything else would remain where it is now.
>
> If ->ino changes during the lifetime, rule would have to be moved between
> these lists.
>
> When we are trying to match context with rules on (current) list #n, we
> _know_ that many of them won't match just on the grounds of ->ino mismatch.
> With that splitting of lists we can skip most of those - rules from the
> current list #n will be on list #n and 31 lists starting with
> AUDIR_NR_FILTERS + 31*n. We only need to scan
> n (that's where non-watch rules remain)
> AUDIT_NR_FILTERS + 31*n + ctx->names[i].ino % 31 for each i less than
> ctx->name_count.
>
> Everything else is not going to match and doesn't have to be looked at.
While the per-syscall lists would be a good overall improvement to
audit filtering, this better solves the specific problem of many
inode-based rules.
Since inodes are only applicable to the syscall exit filter list, it
could be simplified to use a single inode-based hash, instead of one
for each filterlist (AUDIT_NR_FILTERS).
I'd be happy to add this functionality as a follow-on patch to the
filesystem auditing patch, if no one else is working on it.
Amy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic