On Wed, Jul 19, 2023 at 7:37 AM Paolo Abeni <pabeni@xxxxxxxxxx> wrote: > > Perf traces of network-related workload shows a measurable overhead > inside the network-related selinux hooks while zeroing the > lsm_network_audit struct. > > In most cases we can delay the initialization of such structure to the > usage point, avoiding such overhead in a few cases. > > Additionally, the audit code accesses the IP address information only > for AF_INET* families, and selinux_parse_skb() will fill-out the > relevant fields in such cases. When the family field is zeroed or the > initialization is followed by the mentioned parsing, the zeroing can be > limited to the sk, family and netif fields. > > By factoring out the audit-data initialization to new helpers, this > patch removes some duplicate code and gives small but measurable > performance gain under UDP flood. > > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > --- > rfc -> v1 > - helper rename (Paul) > > As per discussion at: > https://lore.kernel.org/selinux/dc7c9c969e60fef73b6d67976eda5756255898bf.camel@xxxxxxxxxx/T/#m25143ccf1923fcd2e336405be57c8deb69805ea4 > this is still a selinux-specific change. > --- > security/selinux/hooks.c | 84 ++++++++++++++++++++-------------------- > 1 file changed, 43 insertions(+), 41 deletions(-) Merged into selinux/next, thanks! -- paul-moore.com
