tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'audit-pr-20251201' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:

- Consolidate the loops in __audit_inode_child() to improve performance

When logging a child inode in __audit_inode_child(), we first run
through the list of recorded inodes looking for the parent and then
we repeat the search looking for a matching child entry. This pull
request consolidates both searches into one pass through the recorded
inodes, resuling in approximately a 50% reduction in audit overhead.

See the commit description for the testing details.

- Combine kmalloc()/memset() into kzalloc() in audit_krule_to_data()

- Comment fixes

* tag 'audit-pr-20251201' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: merge loops in __audit_inode_child()
audit: Use kzalloc() instead of kmalloc()/memset() in audit_krule_to_data()
audit: fix comment misindentation in audit.h

Linus Torvalds 0eae3283 51e3b98d

+23 -29
+1 -1
kernel/audit.h
··· 138 138 struct audit_aux_data *aux_pids; 139 139 struct sockaddr_storage *sockaddr; 140 140 size_t sockaddr_len; 141 - /* Save things to print about task_struct */ 141 + /* Save things to print about task_struct */ 142 142 pid_t ppid; 143 143 kuid_t uid, euid, suid, fsuid; 144 144 kgid_t gid, egid, sgid, fsgid;
+1 -2
kernel/auditfilter.c
··· 638 638 void *bufp; 639 639 int i; 640 640 641 - data = kmalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL); 641 + data = kzalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL); 642 642 if (unlikely(!data)) 643 643 return NULL; 644 - memset(data, 0, sizeof(*data)); 645 644 646 645 data->flags = krule->flags | krule->listnr; 647 646 data->action = krule->action;
+21 -26
kernel/auditsc.c
··· 2416 2416 if (inode) 2417 2417 handle_one(inode); 2418 2418 2419 - /* look for a parent entry first */ 2420 - list_for_each_entry(n, &context->names_list, list) { 2421 - if (!n->name || 2422 - (n->type != AUDIT_TYPE_PARENT && 2423 - n->type != AUDIT_TYPE_UNKNOWN)) 2424 - continue; 2425 - 2426 - if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev && 2427 - !audit_compare_dname_path(dname, 2428 - n->name->name, n->name_len)) { 2429 - if (n->type == AUDIT_TYPE_UNKNOWN) 2430 - n->type = AUDIT_TYPE_PARENT; 2431 - found_parent = n; 2432 - break; 2433 - } 2434 - } 2435 - 2436 - cond_resched(); 2437 - 2438 - /* is there a matching child entry? */ 2439 2419 list_for_each_entry(n, &context->names_list, list) { 2440 2420 /* can only match entries that have a name */ 2441 - if (!n->name || 2442 - (n->type != type && n->type != AUDIT_TYPE_UNKNOWN)) 2421 + if (!n->name) 2443 2422 continue; 2444 2423 2445 - if (!strcmp(dname->name, n->name->name) || 2446 - !audit_compare_dname_path(dname, n->name->name, 2424 + /* look for a parent entry first */ 2425 + if (!found_parent && 2426 + (n->type == AUDIT_TYPE_PARENT || n->type == AUDIT_TYPE_UNKNOWN) && 2427 + (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev && 2428 + !audit_compare_dname_path(dname, n->name->name, n->name_len))) { 2429 + n->type = AUDIT_TYPE_PARENT; 2430 + found_parent = n; 2431 + if (found_child) 2432 + break; 2433 + continue; 2434 + } 2435 + 2436 + /* is there a matching child entry? */ 2437 + if (!found_child && 2438 + (n->type == type || n->type == AUDIT_TYPE_UNKNOWN) && 2439 + (!strcmp(dname->name, n->name->name) || 2440 + !audit_compare_dname_path(dname, n->name->name, 2447 2441 found_parent ? 2448 2442 found_parent->name_len : 2449 - AUDIT_NAME_FULL)) { 2443 + AUDIT_NAME_FULL))) { 2450 2444 if (n->type == AUDIT_TYPE_UNKNOWN) 2451 2445 n->type = type; 2452 2446 found_child = n; 2453 - break; 2447 + if (found_parent) 2448 + break; 2454 2449 } 2455 2450 } 2456 2451