Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754233Ab0HXCVW (ORCPT ); Mon, 23 Aug 2010 22:21:22 -0400 Received: from ozlabs.org ([203.10.76.45]:49405 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752227Ab0HXCVU (ORCPT ); Mon, 23 Aug 2010 22:21:20 -0400 Date: Tue, 24 Aug 2010 12:16:26 +1000 From: Anton Blanchard To: Eric Paris Cc: Michael Neuling , linux-audit@redhat.com, linux-kernel@vger.kernel.org, Al Viro Subject: Re: [PATCH] audit: speedup for syscalls when auditing is disabled Message-ID: <20100824021625.GA2425@kryten> References: <29151.1282270393@neuling.org> <1282586177.2681.43.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1282586177.2681.43.camel@localhost.localdomain> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 870 Lines: 22 Hi Eric, > I don't think this works at all. I don't see how syscall audit'ing can > work. What if I have nothing in the AUDIT_FILTER_TASK list but I want > to audit all 'open(2)' syscalls? This patch is going to leave the task > in the DISABLED state and we won't ever be able to match on the syscall > rules. That's a good point. What if we went through and created an audit context for each thread at the point where we add a rule to the audit subsystem? That would make the common case where no one touches audit go fast. It's only once you add a rule that you get the syscall entry/exit overhead of audit. Anton -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/