Improve sedispatch performance
Resolves: rhbz#1982661
This commit is contained in:
parent
a1a9aa7d9d
commit
13d41f7880
163
0003-sedispatch-improve-performance.patch
Normal file
163
0003-sedispatch-improve-performance.patch
Normal file
@ -0,0 +1,163 @@
|
||||
From 46369d08223e06fb7884a4e65ff47a3b0b828f25 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 13:22:59 +0200
|
||||
Subject: [PATCH] sedispatch: improve performance
|
||||
|
||||
sedispatch is pretty much the slowest audit relatedplugin. It was mixing
|
||||
descriptors (select) and FILE functions (fgets) which is not a good recipe.
|
||||
|
||||
It's reworked to only use descriptors. Also the flow is updated to
|
||||
follow the latest plugin recommendations. This makes it run almost twice
|
||||
as fast. The call to auparse_set_eoe_timeout() requires audit 3.0.1.
|
||||
---
|
||||
src/sedispatch.c | 72 +++++++++++++++++++++++++-----------------------
|
||||
1 file changed, 38 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
|
||||
index 2fa94fd85cc3..49c2fce2a333 100644
|
||||
--- a/framework/src/sedispatch.c
|
||||
+++ b/framework/src/sedispatch.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* sedispatch.c --
|
||||
- * Copyright 2009 Red Hat Inc., Durham, North Carolina.
|
||||
+ * Copyright 2009,2021 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@@ -30,14 +30,14 @@
|
||||
*
|
||||
*/
|
||||
|
||||
-#define _GNU_SOURCE
|
||||
-#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <errno.h>
|
||||
#include "libaudit.h"
|
||||
#include "auparse.h"
|
||||
#include "sedbus.h"
|
||||
@@ -101,8 +101,6 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
|
||||
{
|
||||
char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
|
||||
struct sigaction sa;
|
||||
- fd_set rfds;
|
||||
- struct timeval tv;
|
||||
|
||||
/* Register sighandlers */
|
||||
sa.sa_flags = 0;
|
||||
@@ -113,6 +111,9 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
|
||||
sa.sa_handler = hup_handler;
|
||||
sigaction(SIGHUP, &sa, NULL);
|
||||
|
||||
+ /* Set STDIN non-blocking */
|
||||
+ fcntl(0, F_SETFL, O_NONBLOCK);
|
||||
+
|
||||
/* Initialize the auparse library */
|
||||
au = auparse_init(AUSOURCE_FEED, 0);
|
||||
if (au == NULL) {
|
||||
@@ -120,37 +121,49 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ auparse_set_eoe_timeout(2);
|
||||
auparse_add_callback(au, handle_event, NULL, NULL);
|
||||
+
|
||||
#ifdef HAVE_LIBCAP_NG
|
||||
capng_clear(CAPNG_SELECT_BOTH);
|
||||
capng_apply(CAPNG_SELECT_BOTH);
|
||||
#endif
|
||||
+
|
||||
do {
|
||||
+ fd_set rfds;
|
||||
+ int retval;
|
||||
+ int read_size = 1; /* Set to 1 so it's not EOF */
|
||||
+
|
||||
/* Load configuration */
|
||||
if (hup) {
|
||||
reload_config();
|
||||
}
|
||||
|
||||
- /* Now the event loop */
|
||||
- while (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, stdin) &&
|
||||
- hup==0 && stop==0) {
|
||||
- auparse_feed(au, tmp, strnlen(tmp,
|
||||
- MAX_AUDIT_MESSAGE_LENGTH));
|
||||
-
|
||||
- /* Wait for 3 seconds and if nothing has happen expect that the event
|
||||
- * is complete and flush parser's feed
|
||||
- * FIXME: in future, libaudit will provide a better mechanism for aging
|
||||
- * events
|
||||
- */
|
||||
+ do {
|
||||
FD_ZERO(&rfds);
|
||||
FD_SET(0, &rfds);
|
||||
- tv.tv_sec = 3;
|
||||
- tv.tv_usec = 0;
|
||||
- if (select(1, &rfds, NULL, NULL, &tv) == 0)
|
||||
- /* The timeout occurred, the event is probably complete */
|
||||
- auparse_flush_feed(au);
|
||||
+
|
||||
+ if (auparse_feed_has_data(au)) {
|
||||
+ // We'll do a 1 second timeout to try to
|
||||
+ // age events as quick as possible
|
||||
+ struct timeval tv;
|
||||
+ tv.tv_sec = 1;
|
||||
+ tv.tv_usec = 0;
|
||||
+ retval = select(1, &rfds, NULL, NULL, &tv);
|
||||
+ } else
|
||||
+ retval = select(1, &rfds, NULL, NULL, NULL);
|
||||
+
|
||||
+ /* If we timed out & have events, shake them loose */
|
||||
+ if (retval == 0 && auparse_feed_has_data(au))
|
||||
+ auparse_feed_age_events(au);
|
||||
+ } while (retval == -1 && errno == EINTR && !hup && !stop);
|
||||
+
|
||||
+ /* Handle the event */
|
||||
+ if (!hup && !stop && retval > 0) {
|
||||
+ read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);
|
||||
+ auparse_feed(au, tmp, read_size);
|
||||
}
|
||||
- if (feof(stdin))
|
||||
+ if (read_size == 0) /* EOF */
|
||||
break;
|
||||
} while (stop == 0);
|
||||
|
||||
@@ -178,7 +191,6 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
|
||||
{
|
||||
size_t size = 1;
|
||||
char *tmp = NULL, *end=NULL;
|
||||
- int i = 0;
|
||||
const char * rec = NULL;
|
||||
const char *scon = auparse_find_field(au, "scontext");
|
||||
const char *tcon = auparse_find_field(au, "tcontext");
|
||||
@@ -234,19 +246,11 @@ static void handle_event(auparse_state_t *au,
|
||||
move the cursor accidentally skipping a record. */
|
||||
while (auparse_goto_record_num(au, num) > 0) {
|
||||
type = auparse_get_type(au);
|
||||
- /* Now we can branch based on what record type we find.
|
||||
- This is just a few suggestions, but it could be anything. */
|
||||
+ /* Only handle AVCs. */
|
||||
switch (type) {
|
||||
case AUDIT_AVC:
|
||||
- dump_whole_record(au, conn);
|
||||
- break;
|
||||
- case AUDIT_SYSCALL:
|
||||
- break;
|
||||
- case AUDIT_USER_LOGIN:
|
||||
- break;
|
||||
- case AUDIT_ANOM_ABEND:
|
||||
- break;
|
||||
- case AUDIT_MAC_STATUS:
|
||||
+ dump_whole_record(au, conn);
|
||||
+ return;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,83 @@
|
||||
From ed6c940c8b05baaf8a4318beccde896893cc32dd Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 13:29:32 +0200
|
||||
Subject: [PATCH] sedispatch: improve performance using cache friendly api
|
||||
|
||||
It turns out that using auparse_goto_record_num() is not cache friendly.
|
||||
Since it is only processing AVC events, there is no chance of seeking
|
||||
around and missing the AVC record. So, that part of the program is
|
||||
switched out to use auparse_next_record() which only moves through the
|
||||
event once.
|
||||
|
||||
Also unused variables were remove and the loop simplified.
|
||||
|
||||
This change gets about 9% more speed. For reference, this
|
||||
is how I checked the speed:
|
||||
|
||||
time ./sedispatch < /var/log/audit/audit.log >/dev/null
|
||||
---
|
||||
src/sedispatch.c | 36 +++++++++++-------------------------
|
||||
1 file changed, 11 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
|
||||
index 49c2fce2a333..f2e9fbaf0743 100644
|
||||
--- a/framework/src/sedispatch.c
|
||||
+++ b/framework/src/sedispatch.c
|
||||
@@ -187,7 +187,7 @@ static int is_setroubleshoot(const char *context) {
|
||||
}
|
||||
|
||||
/* This function shows how to dump a whole record's text */
|
||||
-static void dump_whole_record(auparse_state_t *au, void *conn)
|
||||
+static void dump_whole_record(auparse_state_t *au)
|
||||
{
|
||||
size_t size = 1;
|
||||
char *tmp = NULL, *end=NULL;
|
||||
@@ -228,35 +228,21 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
|
||||
}
|
||||
|
||||
|
||||
-/* This function receives a single complete event at a time from the auparse
|
||||
- * library. This is where the main analysis code would be added. */
|
||||
+/* This function receives a single complete event from auparse. Internal
|
||||
+ * cursors are on the first record. This is where the analysis occurs. */
|
||||
static void handle_event(auparse_state_t *au,
|
||||
auparse_cb_event_t cb_event_type, void *user_data)
|
||||
{
|
||||
- int type, num=0;
|
||||
-
|
||||
- DBusConnection* conn =
|
||||
- (DBusConnection*) user_data;
|
||||
-
|
||||
- if (cb_event_type != AUPARSE_CB_EVENT_READY)
|
||||
- return;
|
||||
-
|
||||
- /* Loop through the records in the event looking for one to process.
|
||||
- We use physical record number because we may search around and
|
||||
- move the cursor accidentally skipping a record. */
|
||||
- while (auparse_goto_record_num(au, num) > 0) {
|
||||
- type = auparse_get_type(au);
|
||||
+ /* Loop through the records looking for an AVC. If we ever process
|
||||
+ * other record types without directly returning, we may need to use
|
||||
+ * auparse_goto_record_num() to ensure seeing each record. */
|
||||
+ do {
|
||||
/* Only handle AVCs. */
|
||||
- switch (type) {
|
||||
- case AUDIT_AVC:
|
||||
- dump_whole_record(au, conn);
|
||||
- return;
|
||||
- break;
|
||||
- default:
|
||||
- break;
|
||||
+ if (auparse_get_type(au) == AUDIT_AVC) {
|
||||
+ dump_whole_record(au);
|
||||
+ return;
|
||||
}
|
||||
- num++;
|
||||
- }
|
||||
+ } while (auparse_next_record(au) > 0);
|
||||
}
|
||||
|
||||
#ifdef NOTUSED
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,25 @@
|
||||
From 4041744bc94ee94a5d6ba59dd398e2eaae790b97 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 11:03:47 +0200
|
||||
Subject: [PATCH] auparse_set_eoe_timeout() requires audit / libauparse 3.0.1
|
||||
|
||||
---
|
||||
configure.ac | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/framework/configure.ac b/framework/configure.ac
|
||||
index d1d01766e4a0..0fba58dca9d2 100644
|
||||
--- a/framework/configure.ac
|
||||
+++ b/framework/configure.ac
|
||||
@@ -13,6 +13,8 @@ PKG_CHECK_MODULES([NOTIFY], [libnotify])
|
||||
PKG_CHECK_MODULES([SEAPPLETLEGACY], [gtk+-2.0 gio-unix-2.0 libnotify dbus-glib-1],
|
||||
[seappletlegacy=yes], [seappletlegacy=no])
|
||||
PKG_CHECK_MODULES([SEAPPLET], [gtk+-3.0])
|
||||
+# auparse_set_eoe_timeout() requires libauparse 3.0.1
|
||||
+PKG_CHECK_MODULES([SEDISPATCH], [auparse >= 3.0.1])
|
||||
|
||||
# make sure we keep ACLOCAL_FLAGS around for maintainer builds to work
|
||||
AC_SUBST(ACLOCAL_AMFLAGS, "\${ACLOCAL_FLAGS}")
|
||||
--
|
||||
2.32.0
|
||||
|
@ -4,7 +4,7 @@
|
||||
Summary: Helps troubleshoot SELinux problems
|
||||
Name: setroubleshoot
|
||||
Version: 3.3.26
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
URL: https://pagure.io/setroubleshoot
|
||||
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
|
||||
@ -13,11 +13,15 @@ Source1: %{name}.tmpfiles
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
Patch0001: 0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
|
||||
Patch0002: 0002-Do-not-use-Python-slip-package.patch
|
||||
Patch0003: 0003-sedispatch-improve-performance.patch
|
||||
Patch0004: 0004-sedispatch-improve-performance-using-cache-friendly-.patch
|
||||
Patch0005: 0005-auparse_set_eoe_timeout-requires-audit-libauparse-3..patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: libcap-ng-devel
|
||||
BuildRequires: intltool gettext python3 python3-devel
|
||||
BuildRequires: desktop-file-utils dbus-glib-devel gtk2-devel libnotify-devel audit-libs-devel libselinux-devel polkit-devel
|
||||
BuildRequires: desktop-file-utils dbus-glib-devel gtk2-devel libnotify-devel libselinux-devel polkit-devel
|
||||
BuildRequires: audit-libs-devel >= 3.0.1
|
||||
BuildRequires: python3-libselinux python3-dasbus python3-gobject gtk3-devel
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Requires: gtk3, libnotify
|
||||
@ -89,7 +93,7 @@ install -m644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
||||
Summary: SELinux troubleshoot server
|
||||
|
||||
Requires: %{name}-plugins >= 3.3.10
|
||||
Requires: audit >= 3
|
||||
Requires: audit >= 3.0.1
|
||||
Requires: audit-libs-python3
|
||||
Requires: libxml2-python3
|
||||
Requires: rpm-python3
|
||||
@ -190,6 +194,9 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
|
||||
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
|
||||
|
||||
%changelog
|
||||
* Fri Jul 16 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3.26-4
|
||||
- Improve sedispatch performance
|
||||
|
||||
* Fri Jul 2 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3.26-3
|
||||
- Fix file mode of email_alert_recipients
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user