[PATCH 2/2] audit string fields interface + consumer

Timothy R. Chavez tinytim at us.ibm.com
Thu Jan 19 19:06:13 UTC 2006 

On Thu, 2006-01-19 at 10:53 -0500, Amy Griffis wrote:
> On Wed, Jan 18, 2006 at 12:02:10PM -0600, Serge E. Hallyn wrote:
> > Quoting Timothy R. Chavez (tinytim at us.ibm.com):
> > > On Tue, 2006-01-17 at 17:19 -0500, Amy Griffis wrote:
> > > > Here is an update that incorporates changes based on Tim's feedback:
> > > >     - sanity check for path with trailing /
> > > >     - call path_release
> > > >     - use audit_compare_watch
> > > > 
> > > > and fixes panics due to the assumption of the existence of
> > > > rule->watch.
> > > >
> > > > diff --git a/kernel/audit.h b/kernel/audit.h
> > > > index f3b2a00..cc979e9 100644
> > > > --- a/kernel/audit.h
> > > > +++ b/kernel/audit.h
> > > > @@ -52,6 +52,12 @@ enum audit_state {
> > > >  };
> > > >  
> > > >  /* Rule lists */
> > > > +struct audit_watch {
> > > > +	char			*path; /* watch insertion path */
> > > > +	struct list_head	mlist; /* entry in master_watchlist */
> > > > +	struct list_head	rules; /* associated rules */
> > > > +};
> > > > +
> > > >  struct audit_field {
> > > >  	u32			type;
> > > >  	u32			val;
> > > > @@ -67,6 +73,8 @@ struct audit_krule {
> > > >  	u32			buflen; /* for data alloc on list rules */
> > > >  	u32			field_count;
> > > >  	struct audit_field	fields[AUDIT_MAX_FIELDS];
> > > > +	struct audit_watch	*watch; /* associated watch */
> > > > +	struct list_head	rlist; /* entry in audit_watch.rules list */
> > > >  };
> > > 
> > > This may not really be that important, but if you switch to hlist_head
> > > you have a 4-byte savings, which is something...
> > > 
> > > AUDIT_MAX_FIELDS defaults to 64, sizeof(audit_field) is 12-bytes...
> > > 768-bytes... 788-bytes per audit_krule?
> > 
> > Agree.
> 
> Sorry, I'm not following how the list_head applies to the fields[]
> array.
> 

I was attempting to highlight the issue of unnecessary space consumption
by first offering a way to reduce the size of audit_krule in an easy way
(switching from list_head to hlist_head) and then bringing to everyone's
attention the larger problem of having such a large static array which
is probably mostly unused on average.  Sorry I didn't make that
clearer :-)

-tim

More information about the Linux-audit mailing list