Received: by 10.223.185.116 with SMTP id b49csp5251868wrg; Wed, 7 Mar 2018 08:41:59 -0800 (PST) X-Google-Smtp-Source: AG47ELujL8cSFiGeOb9Cl4GYbqEPm1jBhNakAFM8H5e4sQUiIPLJM2BT3uXYTeBsqQERtIZ9oY54 X-Received: by 10.98.211.198 with SMTP id z67mr23608864pfk.0.1520440919222; Wed, 07 Mar 2018 08:41:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520440919; cv=none; d=google.com; s=arc-20160816; b=QBECibYMQycywwgXE0L1V4X7CIcoDdraeRv2xaFRB286z5KQ8kOxoUGx1o0SOhYjGQ rTKVAyV5jkU/tqkL60ZIxJAk8onMSKZR0LgOIWpuRvqdO13jk3BjWvCjfcWYfhjimFB1 Oc3gCQSWLXI4Vg6wGNmo1M7+3/ZS3+Dt46R1+bfzgQ0aiFAstE3i9560PiyRwtfxQria VS9qYaJCoVNWMI771UQByJcVfCOiiTKbGeFVGTABtLPqQCakysMsZwB/0QqNGAbT672C +9nmBsFqfL+Qx3JRROYzUIgtfKeYBGVS5hAS53s3FZcnZQZ76b+AQnqgazLPoutgsYeQ FTWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=rrvdWRdyxQ11fAzTFppwyv0Qh+daW+jB7drI4Ad/jNE=; b=KbWczylF3xUZpN09WnCnBCpbKaAWxHwJm9iSMTckf0bERD/yzcXNVqgc9ogpqplOJL CV111W8m8aWZC26uSIsacQYGEkPCWhhVs8rmvrPh4o0SCSK9zYdH7rb/Pzm5/utRijtq Ceu+C527l4ep8VUwap5O+u4y4CQZz/hX28oRNH3d8bCigdsq5MKzyk94VFYVCIkJ6GRd +LwobvC3UNd4rQqaG63KWXCtPRC+DlLb5cFudW8AqHSqGq3iC8bK8w+bNlgc31aS15r+ RYz0DpVwRK0XxBzJxs063QxiNLFFWh2f2JlL8pL9hQ/Un7f7soFTE5I6pWTarXcdY1Pw jeMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n27si14128544pfg.102.2018.03.07.08.41.43; Wed, 07 Mar 2018 08:41:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933885AbeCGQkl (ORCPT + 99 others); Wed, 7 Mar 2018 11:40:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:52620 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933487AbeCGQkh (ORCPT ); Wed, 7 Mar 2018 11:40:37 -0500 Received: from mail-it0-f48.google.com (mail-it0-f48.google.com [209.85.214.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5F5C32177C for ; Wed, 7 Mar 2018 16:40:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5F5C32177C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f48.google.com with SMTP id w19so16742877ite.0 for ; Wed, 07 Mar 2018 08:40:37 -0800 (PST) X-Gm-Message-State: AElRT7F/+DjOJ/IjGlDsfdrEU/HkfRvPga8XhpSkoRxosfhYNMq778sl o2ya05KVzTczDqxDCOyy8fy46ZO/aBUob2xsBb2LUw== X-Received: by 10.36.78.14 with SMTP id r14mr23955645ita.146.1520440836780; Wed, 07 Mar 2018 08:40:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Wed, 7 Mar 2018 08:40:16 -0800 (PST) In-Reply-To: References: From: Andy Lutomirski Date: Wed, 7 Mar 2018 16:40:16 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated To: Jiri Kosina , Oleg Nesterov Cc: Paul Moore , Andrew Morton , Michal Hocko , Andy Lutomirski , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 7, 2018 at 10:32 AM, Jiri Kosina wrote: > From: Jiri Kosina > > There is no point going through all the audit slow path syscall entry/exit > in case the audit daemon is running, but hasn't populated the audit filter > with any rules whatsoever. > > Only set TIF_AUDIT_SYSCALL in case the number of populated audit rules is > non-zero. > > Originally-by: Andy Lutomirski > Signed-off-by: Jiri Kosina > --- > > This is basically resurrection / rebase of patch Andi Lutomirski sent some > time back in 2014 or so. > > Andi, is there any reason this hasn't been pursued further? I think we > still want to get some of the slow path performance back. > Wow, this was a long time ago. From memory and a bit of email diving, there are two reasons. 1. The probably was partially solved (by Oleg, IIRC) by making auditctl -a task,never cause newly spawned tasks to not suck. Yes, it's a very partial solution. After considerable nagging, I got Fedora to default to -a task,never. 2. This patch, as is, may be a bit problematic. In particular, if one task changes the audit rules while another task is in the middle of the syscall, then it's too late to audit that syscall correctly. This could be seen as a bug or it could be seen as being just fine. --Andy