From ed6c940c8b05baaf8a4318beccde896893cc32dd Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 15 Jul 2021 13:29:32 +0200 Subject: [PATCH] sedispatch: improve performance using cache friendly api It turns out that using auparse_goto_record_num() is not cache friendly. Since it is only processing AVC events, there is no chance of seeking around and missing the AVC record. So, that part of the program is switched out to use auparse_next_record() which only moves through the event once. Also unused variables were remove and the loop simplified. This change gets about 9% more speed. For reference, this is how I checked the speed: time ./sedispatch < /var/log/audit/audit.log >/dev/null --- src/sedispatch.c | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c index 49c2fce2a333..f2e9fbaf0743 100644 --- a/framework/src/sedispatch.c +++ b/framework/src/sedispatch.c @@ -187,7 +187,7 @@ static int is_setroubleshoot(const char *context) { } /* This function shows how to dump a whole record's text */ -static void dump_whole_record(auparse_state_t *au, void *conn) +static void dump_whole_record(auparse_state_t *au) { size_t size = 1; char *tmp = NULL, *end=NULL; @@ -228,35 +228,21 @@ static void dump_whole_record(auparse_state_t *au, void *conn) } -/* This function receives a single complete event at a time from the auparse - * library. This is where the main analysis code would be added. */ +/* This function receives a single complete event from auparse. Internal + * cursors are on the first record. This is where the analysis occurs. */ static void handle_event(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) { - int type, num=0; - - DBusConnection* conn = - (DBusConnection*) user_data; - - if (cb_event_type != AUPARSE_CB_EVENT_READY) - return; - - /* Loop through the records in the event looking for one to process. - We use physical record number because we may search around and - move the cursor accidentally skipping a record. */ - while (auparse_goto_record_num(au, num) > 0) { - type = auparse_get_type(au); + /* Loop through the records looking for an AVC. If we ever process + * other record types without directly returning, we may need to use + * auparse_goto_record_num() to ensure seeing each record. */ + do { /* Only handle AVCs. */ - switch (type) { - case AUDIT_AVC: - dump_whole_record(au, conn); - return; - break; - default: - break; + if (auparse_get_type(au) == AUDIT_AVC) { + dump_whole_record(au); + return; } - num++; - } + } while (auparse_next_record(au) > 0); } #ifdef NOTUSED -- 2.32.0