LSM: shrink sizeof LSM specific portion of common_audit_data

Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2025-07-16 11:32:41 +00:00 · 2012-04-03 09:37:02 -07:00 · 2012-04-03 09:37:02 -07:00 · 3b3b0e4fc1
commit 3b3b0e4fc1
parent 95694129b4
16 changed files with 241 additions and 146 deletions
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@ -72,61 +72,15 @@ struct common_audit_data {
 	/* this union contains LSM specific data */
 	union {
 #ifdef CONFIG_SECURITY_SMACK
-		/* SMACK data */
-		struct smack_audit_data {
-			const char *function;
-			char *subject;
-			char *object;
-			char *request;
-			int result;
-		} smack_audit_data;
+		struct smack_audit_data *smack_audit_data;
 #endif
 #ifdef CONFIG_SECURITY_SELINUX
-		/* SELinux data */
-		struct {
-			u32 ssid;
-			u32 tsid;
-			u16 tclass;
-			u32 requested;
-			u32 audited;
-			u32 denied;
-			/*
-			 * auditdeny is a bit tricky and unintuitive.  See the
-			 * comments in avc.c for it's meaning and usage.
-			 */
-			u32 auditdeny;
-			struct av_decision *avd;
-			int result;
-		} selinux_audit_data;
+		struct selinux_audit_data *selinux_audit_data;
 #endif
 #ifdef CONFIG_SECURITY_APPARMOR
-		struct {
-			int error;
-			int op;
-			int type;
-			void *profile;
-			const char *name;
-			const char *info;
-			union {
-				void *target;
-				struct {
-					long pos;
-					void *target;
-				} iface;
-				struct {
-					int rlim;
-					unsigned long max;
-				} rlim;
-				struct {
-					const char *target;
-					u32 request;
-					u32 denied;
-					uid_t ouid;
-				} fs;
-			};
-		} apparmor_audit_data;
+		struct apparmor_audit_data *apparmor_audit_data;
 #endif
-	};
+	}; /* per LSM data pointer union */
 	/* these callback will be implemented by a specific LSM */
 	void (*lsm_pre_audit)(struct audit_buffer *, void *);
 	void (*lsm_post_audit)(struct audit_buffer *, void *);