svn commit: r184948 - head/sys/security/audit
Robert Watson
rwatson at FreeBSD.org
Thu Nov 13 17:24:53 PST 2008
Author: rwatson
Date: Fri Nov 14 01:24:52 2008
New Revision: 184948
URL: http://svn.freebsd.org/changeset/base/184948
Log:
When repeatedly accessing a thread credential, cache the credential
pointer in a local thread. While this is unlikely to significantly
improve performance given modern compiler behavior, it makes the code
more readable and reduces diffs to the Mac OS X version of the same
code (which stores things in creds in the same way, but where the
cred for a thread is reached quite differently).
Discussed with: sson
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
Modified:
head/sys/security/audit/audit.c
head/sys/security/audit/audit_arg.c
head/sys/security/audit/audit_syscalls.c
Modified: head/sys/security/audit/audit.c
==============================================================================
--- head/sys/security/audit/audit.c Fri Nov 14 00:20:24 2008 (r184947)
+++ head/sys/security/audit/audit.c Fri Nov 14 01:24:52 2008 (r184948)
@@ -207,6 +207,7 @@ audit_record_ctor(void *mem, int size, v
{
struct kaudit_record *ar;
struct thread *td;
+ struct ucred *cred;
KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
@@ -219,15 +220,16 @@ audit_record_ctor(void *mem, int size, v
/*
* Export the subject credential.
*/
- cru2x(td->td_ucred, &ar->k_ar.ar_subj_cred);
- ar->k_ar.ar_subj_ruid = td->td_ucred->cr_ruid;
- ar->k_ar.ar_subj_rgid = td->td_ucred->cr_rgid;
- ar->k_ar.ar_subj_egid = td->td_ucred->cr_groups[0];
- ar->k_ar.ar_subj_auid = td->td_ucred->cr_audit.ai_auid;
- ar->k_ar.ar_subj_asid = td->td_ucred->cr_audit.ai_asid;
+ cred = td->td_ucred;
+ cru2x(cred, &ar->k_ar.ar_subj_cred);
+ ar->k_ar.ar_subj_ruid = cred->cr_ruid;
+ ar->k_ar.ar_subj_rgid = cred->cr_rgid;
+ ar->k_ar.ar_subj_egid = cred->cr_groups[0];
+ ar->k_ar.ar_subj_auid = cred->cr_audit.ai_auid;
+ ar->k_ar.ar_subj_asid = cred->cr_audit.ai_asid;
ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
- ar->k_ar.ar_subj_amask = td->td_ucred->cr_audit.ai_mask;
- ar->k_ar.ar_subj_term_addr = td->td_ucred->cr_audit.ai_termid;
+ ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
+ ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
return (0);
}
@@ -631,6 +633,7 @@ audit_proc_coredump(struct thread *td, c
{
struct kaudit_record *ar;
struct au_mask *aumask;
+ struct ucred *cred;
au_class_t class;
int ret, sorf;
char **pathp;
@@ -641,11 +644,12 @@ audit_proc_coredump(struct thread *td, c
/*
* Make sure we are using the correct preselection mask.
*/
- auid = td->td_ucred->cr_audit.ai_auid;
+ cred = td->td_ucred;
+ auid = cred->cr_audit.ai_auid;
if (auid == AU_DEFAUDITID)
aumask = &audit_nae_mask;
else
- aumask = &td->td_ucred->cr_audit.ai_mask;
+ aumask = &cred->cr_audit.ai_mask;
/*
* It's possible for coredump(9) generation to fail. Make sure that
* we handle this case correctly for preselection.
@@ -658,6 +662,7 @@ audit_proc_coredump(struct thread *td, c
if (au_preselect(AUE_CORE, class, aumask, sorf) == 0 &&
audit_pipe_preselect(auid, AUE_CORE, class, sorf, 0) == 0)
return;
+
/*
* If we are interested in seeing this audit record, allocate it.
* Where possible coredump records should contain a pathname and arg32
Modified: head/sys/security/audit/audit_arg.c
==============================================================================
--- head/sys/security/audit/audit_arg.c Fri Nov 14 00:20:24 2008 (r184947)
+++ head/sys/security/audit/audit_arg.c Fri Nov 14 01:24:52 2008 (r184948)
@@ -356,6 +356,7 @@ void
audit_arg_process(struct proc *p)
{
struct kaudit_record *ar;
+ struct ucred *cred;
KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
@@ -365,13 +366,14 @@ audit_arg_process(struct proc *p)
if (ar == NULL)
return;
- ar->k_ar.ar_arg_auid = p->p_ucred->cr_audit.ai_auid;
- ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
- ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
- ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
- ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
- ar->k_ar.ar_arg_asid = p->p_ucred->cr_audit.ai_asid;
- ar->k_ar.ar_arg_termid_addr = p->p_ucred->cr_audit.ai_termid;
+ cred = p->p_ucred;
+ ar->k_ar.ar_arg_auid = cred->cr_audit.ai_auid;
+ ar->k_ar.ar_arg_euid = cred->cr_uid;
+ ar->k_ar.ar_arg_egid = cred->cr_groups[0];
+ ar->k_ar.ar_arg_ruid = cred->cr_ruid;
+ ar->k_ar.ar_arg_rgid = cred->cr_rgid;
+ ar->k_ar.ar_arg_asid = cred->cr_audit.ai_asid;
+ ar->k_ar.ar_arg_termid_addr = cred->cr_audit.ai_termid;
ar->k_ar.ar_arg_pid = p->p_pid;
ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
ARG_RGID | ARG_ASID | ARG_TERMID_ADDR | ARG_PID | ARG_PROCESS);
Modified: head/sys/security/audit/audit_syscalls.c
==============================================================================
--- head/sys/security/audit/audit_syscalls.c Fri Nov 14 00:20:24 2008 (r184947)
+++ head/sys/security/audit/audit_syscalls.c Fri Nov 14 01:24:52 2008 (r184948)
@@ -157,7 +157,7 @@ free_out:
int
auditon(struct thread *td, struct auditon_args *uap)
{
- struct ucred *newcred, *oldcred;
+ struct ucred *cred, *newcred, *oldcred;
int error;
union auditon_udata udata;
struct proc *tp;
@@ -321,22 +321,21 @@ auditon(struct thread *td, struct audito
PROC_UNLOCK(tp);
return (error);
}
- if (tp->p_ucred->cr_audit.ai_termid.at_type == AU_IPv6) {
+ cred = tp->p_ucred;
+ if (cred->cr_audit.ai_termid.at_type == AU_IPv6) {
PROC_UNLOCK(tp);
return (EINVAL);
}
- udata.au_aupinfo.ap_auid =
- tp->p_ucred->cr_audit.ai_auid;
+ udata.au_aupinfo.ap_auid = cred->cr_audit.ai_auid;
udata.au_aupinfo.ap_mask.am_success =
- tp->p_ucred->cr_audit.ai_mask.am_success;
+ cred->cr_audit.ai_mask.am_success;
udata.au_aupinfo.ap_mask.am_failure =
- tp->p_ucred->cr_audit.ai_mask.am_failure;
+ cred->cr_audit.ai_mask.am_failure;
udata.au_aupinfo.ap_termid.machine =
- tp->p_ucred->cr_audit.ai_termid.at_addr[0];
+ cred->cr_audit.ai_termid.at_addr[0];
udata.au_aupinfo.ap_termid.port =
- (dev_t)tp->p_ucred->cr_audit.ai_termid.at_port;
- udata.au_aupinfo.ap_asid =
- tp->p_ucred->cr_audit.ai_asid;
+ (dev_t)cred->cr_audit.ai_termid.at_port;
+ udata.au_aupinfo.ap_asid = cred->cr_audit.ai_asid;
PROC_UNLOCK(tp);
break;
@@ -381,16 +380,14 @@ auditon(struct thread *td, struct audito
return (ESRCH);
if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
return (ESRCH);
- udata.au_aupinfo_addr.ap_auid =
- tp->p_ucred->cr_audit.ai_auid;
+ cred = tp->p_ucred;
+ udata.au_aupinfo_addr.ap_auid = cred->cr_audit.ai_auid;
udata.au_aupinfo_addr.ap_mask.am_success =
- tp->p_ucred->cr_audit.ai_mask.am_success;
+ cred->cr_audit.ai_mask.am_success;
udata.au_aupinfo_addr.ap_mask.am_failure =
- tp->p_ucred->cr_audit.ai_mask.am_failure;
- udata.au_aupinfo_addr.ap_termid =
- tp->p_ucred->cr_audit.ai_termid;
- udata.au_aupinfo_addr.ap_asid =
- tp->p_ucred->cr_audit.ai_asid;
+ cred->cr_audit.ai_mask.am_failure;
+ udata.au_aupinfo_addr.ap_termid = cred->cr_audit.ai_termid;
+ udata.au_aupinfo_addr.ap_asid = cred->cr_audit.ai_asid;
PROC_UNLOCK(tp);
break;
@@ -503,21 +500,23 @@ int
getaudit(struct thread *td, struct getaudit_args *uap)
{
struct auditinfo ai;
+ struct ucred *cred;
int error;
- if (jailed(td->td_ucred))
+ cred = td->td_ucred;
+ if (jailed(cred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
- if (td->td_ucred->cr_audit.ai_termid.at_type == AU_IPv6)
+ if (cred->cr_audit.ai_termid.at_type == AU_IPv6)
return (ERANGE);
bzero(&ai, sizeof(ai));
- ai.ai_auid = td->td_ucred->cr_audit.ai_auid;
- ai.ai_mask = td->td_ucred->cr_audit.ai_mask;
- ai.ai_asid = td->td_ucred->cr_audit.ai_asid;
- ai.ai_termid.machine = td->td_ucred->cr_audit.ai_termid.at_addr[0];
- ai.ai_termid.port = td->td_ucred->cr_audit.ai_termid.at_port;
+ ai.ai_auid = cred->cr_audit.ai_auid;
+ ai.ai_mask = cred->cr_audit.ai_mask;
+ ai.ai_asid = cred->cr_audit.ai_asid;
+ ai.ai_termid.machine = cred->cr_audit.ai_termid.at_addr[0];
+ ai.ai_termid.port = cred->cr_audit.ai_termid.at_port;
return (copyout(&ai, uap->auditinfo, sizeof(ai)));
}
More information about the svn-src-all
mailing list