PERFORCE change 167052 for review

Wed Aug 5 21:16:59 UTC 2009

http://perforce.freebsd.org/chv.cgi?CH=167052

Change 167052 by rwatson at rwatson_cinnamon on 2009/08/05 21:15:57

	For now, rather than exposing audit_slice throughout the kernel,
	cache audit_base_slice's enabled/suspended flags in the previously
	used globals.  Possibly not just "for now" since this also makes
	the per-syscall check more performant.

Affected files ...

.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#11 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#4 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_syscalls.c#7 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#5 edit

Differences ...

==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#11 (text) ====

@@ -84,6 +84,19 @@
 SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
     "TrustedBSD audit controls");
 
+/*
+ * Audit control settings that are set/read by system calls and are hence
+ * non-static.
+ *
+ * Define the audit control flags.
+ *
+ * XXXRW: Cache audit_base_slice->audit_enabled and
+ * audit_base_slice->audit_suspended in globals so that we can avoid
+ * dereferencing audit_base_slice for every system call entry.
+ */
+int			audit_enabled;
+int			audit_suspended;
+
 /* 
  * The base audit slice statically declared.
  */

==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#4 (text) ====

@@ -52,8 +52,6 @@
  * observed but should not be directly manipulated.  The audit suspension
  * flag permits audit to be temporarily disabled without reconfiguring the
  * audit target.
- *
- * XXXRW: These are no longer needed if they're per-slice.
  */
 extern int	audit_enabled;
 extern int	audit_suspended;
@@ -193,12 +191,8 @@
 } while (0)
 
 
-/*
- * XXXRW: Perhaps we should have audit_base_enabled or such as a global to
- * avoid an extra pointer deref for every syscall?
- */
 #define	AUDIT_SYSCALL_ENTER(code, td)	do {				\
-	if (audit_base_slice->audit_enabled) {				\
+	if (audit_enabled) {						\
 		audit_syscall_enter(code, td);				\
 	}								\
 } while (0)

==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_syscalls.c#7 (text) ====

@@ -397,6 +397,7 @@
 				audit_base_slice->audit_suspended = 1;
 				audit_shutdown(NULL, 0);
 			}
+			audit_suspended = audit_base_slice->audit_suspended;
 			break;
 		}
 		if (uap->length != sizeof(udata.au_cond))
@@ -409,6 +410,7 @@
 			audit_base_slice->audit_suspended = 1;
 			audit_shutdown(NULL, 0);
 		}
+		audit_suspended = audit_base_slice->audit_suspended;
 		break;
 
 	case A_GETCLASS:
@@ -856,6 +858,7 @@
 	 * audit_worker?
 	 */
 	audit_base_slice->audit_suspended = 0;
+	audit_suspended = audit_base_slice->audit_suspended;
 
 	audit_rotate_vnode(cred, vp);
 

==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#5 (text) ====

@@ -265,6 +265,7 @@
 	}
 	(void)audit_send_trigger(AUDIT_TRIGGER_NO_SPACE);
 	as->audit_suspended = 1;
+	audit_suspended = as->audit_suspended;
 
 	/* FALLTHROUGH */
 fail:
@@ -469,6 +470,7 @@
 	as->audit_vp = vp;
 	as->audit_file_rotate_wait = 0;
 	as->audit_enabled = (as->audit_vp != NULL);
+	audit_enabled = as->audit_enabled;
 	AUDIT_WORKER_UNLOCK();
 
 	/*
