svn commit: r189570 - in head/sys: security/audit sys

Mon Mar 9 03:45:59 PDT 2009

Author: rwatson
Date: Mon Mar  9 10:45:58 2009
New Revision: 189570
URL: http://svn.freebsd.org/changeset/base/189570

Log:
  Add a new thread-private flag, TDP_AUDITREC, to indicate whether or
  not there is an audit record hung off of td_ar on the current thread.
  Test this flag instead of td_ar when auditing syscall arguments or
  checking for an audit record to commit on syscall return.  Under
  these circumstances, td_pflags is much more likely to be in the cache
  (especially if there is no auditing of the current system call), so
  this should help reduce cache misses in the system call return path.
  
  MFC after:      1 week
  Reported by:    kris
  Obtained from:  TrustedBSD Project

Modified:
  head/sys/security/audit/audit.c
  head/sys/security/audit/audit.h
  head/sys/security/audit/audit_syscalls.c
  head/sys/sys/proc.h

Modified: head/sys/security/audit/audit.c
==============================================================================

--- head/sys/security/audit/audit.c	Mon Mar  9 08:25:05 2009	(r189569)
+++ head/sys/security/audit/audit.c	Mon Mar  9 10:45:58 2009	(r189570)
@@ -492,6 +492,8 @@ audit_syscall_enter(unsigned short code,
 	au_id_t auid;
 
 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
+	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
+	    ("audit_syscall_enter: TDP_AUDITREC set"));
 
 	/*
 	 * In FreeBSD, each ABI has its own system call table, and hence
@@ -542,9 +544,13 @@ audit_syscall_enter(unsigned short code,
 			panic("audit_failing_stop: thread continued");
 		}
 		td->td_ar = audit_new(event, td);
-	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0))
+		if (td->td_ar != NULL)
+			td->td_pflags |= TDP_AUDITREC;
+	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
 		td->td_ar = audit_new(event, td);
-	else
+		if (td->td_ar != NULL)
+			td->td_pflags |= TDP_AUDITREC;
+	} else
 		td->td_ar = NULL;
 }
 
@@ -572,6 +578,7 @@ audit_syscall_exit(int error, struct thr
 
 	audit_commit(td->td_ar, error, retval);
 	td->td_ar = NULL;
+	td->td_pflags &= ~TDP_AUDITREC;
 }
 
 void
@@ -626,6 +633,8 @@ audit_thread_free(struct thread *td)
 {
 
 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
+	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
+	    ("audit_thread_free: TDP_AUDITREC set"));
 }
 
 void

Modified: head/sys/security/audit/audit.h
==============================================================================
--- head/sys/security/audit/audit.h	Mon Mar  9 08:25:05 2009	(r189569)
+++ head/sys/security/audit/audit.h	Mon Mar  9 10:45:58 2009	(r189570)
@@ -186,7 +186,7 @@ void	 audit_thread_free(struct thread *t
  * audit_enabled flag before performing the actual call.
  */
 #define	AUDIT_ARG(op, args...)	do {					\
-	if (td->td_ar != NULL)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_arg_ ## op (args);				\
 } while (0)
 
@@ -202,7 +202,7 @@ void	 audit_thread_free(struct thread *t
  * auditing is disabled, so we don't just check audit_enabled here.
  */
 #define	AUDIT_SYSCALL_EXIT(error, td)	do {				\
-	if (td->td_ar != NULL)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_syscall_exit(error, td);				\
 } while (0)
 
@@ -210,7 +210,7 @@ void	 audit_thread_free(struct thread *t
  * A Macro to wrap the audit_sysclose() function.
  */
 #define	AUDIT_SYSCLOSE(td, fd)	do {					\
-	if (audit_enabled)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_sysclose(td, fd);					\
 } while (0)
 

Modified: head/sys/security/audit/audit_syscalls.c
==============================================================================
--- head/sys/security/audit/audit_syscalls.c	Mon Mar  9 08:25:05 2009	(r189569)
+++ head/sys/security/audit/audit_syscalls.c	Mon Mar  9 10:45:58 2009	(r189570)
@@ -96,6 +96,7 @@ audit(struct thread *td, struct audit_ar
 		td->td_ar = audit_new(AUE_NULL, td);
 		if (td->td_ar == NULL)
 			return (ENOTSUP);
+		td->td_pflags |= TDP_AUDITREC;
 		ar = td->td_ar;
 	}
 

Modified: head/sys/sys/proc.h
==============================================================================
--- head/sys/sys/proc.h	Mon Mar  9 08:25:05 2009	(r189569)
+++ head/sys/sys/proc.h	Mon Mar  9 10:45:58 2009	(r189570)
@@ -368,6 +368,7 @@ do {									\
 #define	TDP_KTHREAD	0x00200000 /* This is an official kernel thread */
 #define	TDP_CALLCHAIN	0x00400000 /* Capture thread's callchain */
 #define	TDP_IGNSUSP	0x00800000 /* Permission to ignore the MNTK_SUSPEND* */
+#define	TDP_AUDITREC	0x01000000 /* Audit record pending on thread */
 
 /*
  * Reasons that the current thread can not be run yet.
