Commit 0eae3283 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'audit-pr-20251201' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit 

Pull audit updates from Paul Moore:

 - Consolidate the loops in __audit_inode_child() to improve performance

   When logging a child inode in __audit_inode_child(), we first run
   through the list of recorded inodes looking for the parent and then
   we repeat the search looking for a matching child entry. This pull
   request consolidates both searches into one pass through the recorded
   inodes, resuling in approximately a 50% reduction in audit overhead.

   See the commit description for the testing details.

 - Combine kmalloc()/memset() into kzalloc() in audit_krule_to_data()

 - Comment fixes

* tag 'audit-pr-20251201' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: merge loops in __audit_inode_child()
  audit: Use kzalloc() instead of kmalloc()/memset() in audit_krule_to_data()
  audit: fix comment misindentation in audit.h
parents 51e3b98d c8a3dfe7

kernel/auditfilter.c

+1 −2
Original line number Diff line number Diff line
@@ -638,10 +638,9 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 
	void *bufp;

	int i;



	data = kmalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL);

	data = kzalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL);

	if (unlikely(!data))

		return NULL;

	memset(data, 0, sizeof(*data));



	data->flags = krule->flags | krule->listnr;

	data->action = krule->action;

kernel/auditsc.c

+19 −24
Original line number Diff line number Diff line
@@ -2416,40 +2416,35 @@ void __audit_inode_child(struct inode *parent, 
	if (inode)

		handle_one(inode);



	/* look for a parent entry first */

	list_for_each_entry(n, &context->names_list, list) {

		if (!n->name ||

		    (n->type != AUDIT_TYPE_PARENT &&

		     n->type != AUDIT_TYPE_UNKNOWN))

		/* can only match entries that have a name */

		if (!n->name)

			continue;



		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&

		    !audit_compare_dname_path(dname,

					      n->name->name, n->name_len)) {

			if (n->type == AUDIT_TYPE_UNKNOWN)

		/* look for a parent entry first */

		if (!found_parent &&

		    (n->type == AUDIT_TYPE_PARENT || n->type == AUDIT_TYPE_UNKNOWN) &&

		    (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&

		     !audit_compare_dname_path(dname, n->name->name, n->name_len))) {

			n->type = AUDIT_TYPE_PARENT;

			found_parent = n;

			if (found_child)

				break;

			continue;

		}

	}



	cond_resched();



		/* is there a matching child entry? */

	list_for_each_entry(n, &context->names_list, list) {

		/* can only match entries that have a name */

		if (!n->name ||

		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))

			continue;



		if (!strcmp(dname->name, n->name->name) ||

		if (!found_child &&

		    (n->type == type || n->type == AUDIT_TYPE_UNKNOWN) &&

		    (!strcmp(dname->name, n->name->name) ||

		     !audit_compare_dname_path(dname, n->name->name,

						found_parent ?

						found_parent->name_len :

						AUDIT_NAME_FULL)) {

						AUDIT_NAME_FULL))) {

			if (n->type == AUDIT_TYPE_UNKNOWN)

				n->type = type;

			found_child = n;

			if (found_parent)

				break;

		}

	}

kernel/audit.h

+1 −1

File changed.

Contains only whitespace changes.