From 5b352faa29c7e8867bb172d155775cd7235e6ba7 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Mon, 24 Jul 2023 15:05:26 +0800 Subject: [PATCH 1/2] audit: optimize syscall auditing hulk inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/I7NE3D -------------------------------- If there is no audit rule, the audit context is dummy and will not be used, so it's no need to call __audit_syscall_entry/__audit_syscall_exit(). Signed-off-by: Yang Yingliang --- include/linux/audit.h | 28 ++++++++++++++++++++++++++++ init/Kconfig | 5 +++++ kernel/entry/common.c | 18 ++++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index b3d859831a31..00dcf224ea1a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -319,6 +319,26 @@ static inline bool audit_dummy_context(void) void *p = audit_context(); return !p || *(int *)p; } + +#ifdef CONFIG_AUDITSYSCALL_OPTIMIZE +extern int audit_n_rules; +static inline bool audit_get_dummy_context(void) +{ + void *p = audit_context(); + int *dummy = p; + + if (!p) + return true; + + if (!audit_n_rules) { + *dummy = 1; + return true; + } else { + return false; + } +} +#endif + static inline void audit_free(struct task_struct *task) { if (unlikely(task->audit_context)) @@ -328,12 +348,20 @@ static inline void audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3) { +#ifdef CONFIG_AUDITSYSCALL_OPTIMIZE + if (unlikely(!audit_get_dummy_context())) +#else if (unlikely(audit_context())) +#endif __audit_syscall_entry(major, a0, a1, a2, a3); } static inline void audit_syscall_exit(void *pt_regs) { +#ifdef CONFIG_AUDITSYSCALL_OPTIMIZE + if (unlikely(!audit_get_dummy_context())) { +#else if (unlikely(audit_context())) { +#endif int success = is_syscall_success(pt_regs); long return_code = regs_return_value(pt_regs); diff --git a/init/Kconfig b/init/Kconfig index b7fbf5b9bdf2..96d664a7541c 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -437,6 +437,11 @@ config AUDITSYSCALL depends on AUDIT && HAVE_ARCH_AUDITSYSCALL select FSNOTIFY +config AUDITSYSCALL_OPTIMIZE + bool "System call auditing optimize" + def_bool n + depends on AUDITSYSCALL + source "kernel/irq/Kconfig" source "kernel/time/Kconfig" source "kernel/Kconfig.preempt" diff --git a/kernel/entry/common.c b/kernel/entry/common.c index a028b28daed5..48bac49a73a7 100644 --- a/kernel/entry/common.c +++ b/kernel/entry/common.c @@ -77,8 +77,19 @@ __syscall_enter_from_user_work(struct pt_regs *regs, long syscall) unsigned long ti_work; ti_work = READ_ONCE(current_thread_info()->flags); +#ifdef CONFIG_AUDITSYSCALL_OPTIMIZE + if (ti_work == _TIF_SYSCALL_AUDIT) { + if (!audit_get_dummy_context()) { + syscall = syscall_get_nr(current, regs); + syscall_enter_audit(regs, syscall); + } + } else if (ti_work & SYSCALL_ENTER_WORK) { + syscall = syscall_trace_enter(regs, syscall, ti_work); + } +#else if (ti_work & SYSCALL_ENTER_WORK) syscall = syscall_trace_enter(regs, syscall, ti_work); +#endif return syscall; } @@ -269,8 +280,15 @@ static void syscall_exit_to_user_mode_prepare(struct pt_regs *regs) * enabled, we want to run them exactly once per syscall exit with * interrupts enabled. */ +#ifdef CONFIG_AUDITSYSCALL_OPTIMIZE + if (cached_flags == _TIF_SYSCALL_AUDIT) + audit_syscall_exit(regs); + else if (unlikely(cached_flags & SYSCALL_EXIT_WORK)) + syscall_exit_work(regs, cached_flags); +#else if (unlikely(cached_flags & SYSCALL_EXIT_WORK)) syscall_exit_work(regs, cached_flags); +#endif } __visible noinstr void syscall_exit_to_user_mode(struct pt_regs *regs) -- Gitee From c875d99220069dffbe97179fe76e309b599b8733 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Mon, 24 Jul 2023 15:05:27 +0800 Subject: [PATCH 2/2] enable AUDITSYSCALL_OPTIMIZE by default hulk inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/I7NE3D -------------------------------- Enable CONFIG_AUDITSYSCALL_OPTIMIZE by default on x86 and arm64 Signed-off-by: Yang Yingliang --- arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index f055d8e93bc4..b6d7657861d5 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -27,6 +27,7 @@ CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL_OPTIMIZE=y # # IRQ subsystem diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 9adedd9d615a..0c12dc66625e 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -41,6 +41,7 @@ CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL_OPTIMIZE=y # # IRQ subsystem -- Gitee