diff options
author | Paolo Abeni <pabeni@redhat.com> | 2023-07-19 13:37:49 +0200 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2023-07-19 16:10:05 -0400 |
commit | dd51fcd42fd6bf37608f54303b974b47f73c1490 (patch) | |
tree | d74129e8c87e692e241c6e06083fe39934ceeb30 /security/selinux/Kconfig | |
parent | 0fe53224bf5be183d263f262212c06ff00c69ca4 (diff) | |
download | linux-dd51fcd42fd6bf37608f54303b974b47f73c1490.tar.gz linux-dd51fcd42fd6bf37608f54303b974b47f73c1490.tar.bz2 linux-dd51fcd42fd6bf37608f54303b974b47f73c1490.zip |
selinux: introduce and use lsm_ad_net_init*() helpers
Perf traces of network-related workload shows a measurable overhead
inside the network-related selinux hooks while zeroing the
lsm_network_audit struct.
In most cases we can delay the initialization of such structure to the
usage point, avoiding such overhead in a few cases.
Additionally, the audit code accesses the IP address information only
for AF_INET* families, and selinux_parse_skb() will fill-out the
relevant fields in such cases. When the family field is zeroed or the
initialization is followed by the mentioned parsing, the zeroing can be
limited to the sk, family and netif fields.
By factoring out the audit-data initialization to new helpers, this
patch removes some duplicate code and gives small but measurable
performance gain under UDP flood.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/Kconfig')
0 files changed, 0 insertions, 0 deletions