Skip to content

Commit

Permalink
LSM: shrink the common_audit_data data union
Browse files Browse the repository at this point in the history 
After shrinking the common_audit_data stack usage for private LSM data I'm
not going to shrink the data union.  To do this I'm going to move anything
larger than 2 void * ptrs to it's own structure and require it to be declared
separately on the calling stack.  Thus hot paths which don't need more than
a couple pointer don't have to declare space to hold large unneeded
structures.  I could get this down to one void * by dealing with the key
struct and the struct path.  We'll see if that is helpful after taking care of
networking.

Signed-off-by: Eric Paris <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@eparis @torvalds
eparis authored and torvalds committed Apr 3, 2012
1 parent 3b3b0e4 commit 48c62af
Show file tree
Hide file tree
Showing 5 changed files with 140 additions and 105 deletions.
35 changes: 18 additions & 17 deletions include/linux/lsm_audit.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,23 @@
#include <linux/key.h>
#include <linux/skbuff.h>

struct lsm_network_audit {
int netif;
struct sock *sk;
u16 family;
__be16 dport;
__be16 sport;
union {
struct {
__be32 daddr;
__be32 saddr;
} v4;
struct {
struct in6_addr daddr;
struct in6_addr saddr;
} v6;
} fam;
};

/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
Expand All @@ -41,23 +58,7 @@ struct common_audit_data {
struct path path;
struct dentry *dentry;
struct inode *inode;
struct {
int netif;
struct sock *sk;
u16 family;
__be16 dport;
__be16 sport;
union {
struct {
__be32 daddr;
__be32 saddr;
} v4;
struct {
struct in6_addr daddr;
struct in6_addr saddr;
} v6;
} fam;
} net;
struct lsm_network_audit *net;
int cap;
int ipc_id;
struct task_struct *tsk;
Expand Down
66 changes: 33 additions & 33 deletions security/lsm_audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
if (ih == NULL)
return -EINVAL;

ad->u.net.v4info.saddr = ih->saddr;
ad->u.net.v4info.daddr = ih->daddr;
ad->u.net->v4info.saddr = ih->saddr;
ad->u.net->v4info.daddr = ih->daddr;

if (proto)
*proto = ih->protocol;
Expand All @@ -64,34 +64,34 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
if (th == NULL)
break;

ad->u.net.sport = th->source;
ad->u.net.dport = th->dest;
ad->u.net->sport = th->source;
ad->u.net->dport = th->dest;
break;
}
case IPPROTO_UDP: {
struct udphdr *uh = udp_hdr(skb);
if (uh == NULL)
break;

ad->u.net.sport = uh->source;
ad->u.net.dport = uh->dest;
ad->u.net->sport = uh->source;
ad->u.net->dport = uh->dest;
break;
}
case IPPROTO_DCCP: {
struct dccp_hdr *dh = dccp_hdr(skb);
if (dh == NULL)
break;

ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport;
ad->u.net->sport = dh->dccph_sport;
ad->u.net->dport = dh->dccph_dport;
break;
}
case IPPROTO_SCTP: {
struct sctphdr *sh = sctp_hdr(skb);
if (sh == NULL)
break;
ad->u.net.sport = sh->source;
ad->u.net.dport = sh->dest;
ad->u.net->sport = sh->source;
ad->u.net->dport = sh->dest;
break;
}
default:
Expand Down Expand Up @@ -119,8 +119,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
ip6 = ipv6_hdr(skb);
if (ip6 == NULL)
return -EINVAL;
ad->u.net.v6info.saddr = ip6->saddr;
ad->u.net.v6info.daddr = ip6->daddr;
ad->u.net->v6info.saddr = ip6->saddr;
ad->u.net->v6info.daddr = ip6->daddr;
ret = 0;
/* IPv6 can have several extension header before the Transport header
* skip them */
Expand All @@ -140,8 +140,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
if (th == NULL)
break;

ad->u.net.sport = th->source;
ad->u.net.dport = th->dest;
ad->u.net->sport = th->source;
ad->u.net->dport = th->dest;
break;
}
case IPPROTO_UDP: {
Expand All @@ -151,8 +151,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
if (uh == NULL)
break;

ad->u.net.sport = uh->source;
ad->u.net.dport = uh->dest;
ad->u.net->sport = uh->source;
ad->u.net->dport = uh->dest;
break;
}
case IPPROTO_DCCP: {
Expand All @@ -162,8 +162,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
if (dh == NULL)
break;

ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport;
ad->u.net->sport = dh->dccph_sport;
ad->u.net->dport = dh->dccph_dport;
break;
}
case IPPROTO_SCTP: {
Expand All @@ -172,8 +172,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
if (sh == NULL)
break;
ad->u.net.sport = sh->source;
ad->u.net.dport = sh->dest;
ad->u.net->sport = sh->source;
ad->u.net->dport = sh->dest;
break;
}
default:
Expand Down Expand Up @@ -281,8 +281,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
}
break;
case LSM_AUDIT_DATA_NET:
if (a->u.net.sk) {
struct sock *sk = a->u.net.sk;
if (a->u.net->sk) {
struct sock *sk = a->u.net->sk;
struct unix_sock *u;
int len = 0;
char *p = NULL;
Expand Down Expand Up @@ -330,29 +330,29 @@ static void dump_common_audit_data(struct audit_buffer *ab,
}
}

switch (a->u.net.family) {
switch (a->u.net->family) {
case AF_INET:
print_ipv4_addr(ab, a->u.net.v4info.saddr,
a->u.net.sport,
print_ipv4_addr(ab, a->u.net->v4info.saddr,
a->u.net->sport,
"saddr", "src");
print_ipv4_addr(ab, a->u.net.v4info.daddr,
a->u.net.dport,
print_ipv4_addr(ab, a->u.net->v4info.daddr,
a->u.net->dport,
"daddr", "dest");
break;
case AF_INET6:
print_ipv6_addr(ab, &a->u.net.v6info.saddr,
a->u.net.sport,
print_ipv6_addr(ab, &a->u.net->v6info.saddr,
a->u.net->sport,
"saddr", "src");
print_ipv6_addr(ab, &a->u.net.v6info.daddr,
a->u.net.dport,
print_ipv6_addr(ab, &a->u.net->v6info.daddr,
a->u.net->dport,
"daddr", "dest");
break;
}
if (a->u.net.netif > 0) {
if (a->u.net->netif > 0) {
struct net_device *dev;

/* NOTE: we always use init's namespace */
dev = dev_get_by_index(&init_net, a->u.net.netif);
dev = dev_get_by_index(&init_net, a->u.net->netif);
if (dev) {
audit_log_format(ab, " netif=%s", dev->name);
dev_put(dev);
Expand Down
Loading

0 comments on commit 48c62af

Please sign in to comment.