Possible performance bug
Amy Griffis
amy.griffis at hp.com
Fri Sep 9 13:52:37 UTC 2005
On Thu, Sep 08, 2005 at 04:31:02PM -0700, Chris Wright wrote:
> * Steve Grubb (sgrubb at redhat.com) wrote:
> > Don't all the running processes still have a context?
>
> Already running processes would (except those with 'never' rules), but
> news ones shouldn't (new meaning after -e0). It seems odd a benchmark
> that runs after -e0 (that's creating only new processes) would be that
> penalized. New processes would have no context, and existing processes
> would bail out of audit_syscall_entry. Profiles would be helpful.
The TIF_SYSCALL_AUDIT flag isn't explicitly cleared in copy_process,
so it continues to be propagated to new tasks once audit has been
enabled, regardless of the current value of the audit_enabled flag.
After -e0, new tasks still incur some extra overhead from trace
syscall processing instead of jumping out early. It would be
interesting to see some numbers on that.
Amy
More information about the Linux-audit
mailing list