84 lines
2.7 KiB
Diff
84 lines
2.7 KiB
Diff
From ed6c940c8b05baaf8a4318beccde896893cc32dd Mon Sep 17 00:00:00 2001
|
|
From: Steve Grubb <sgrubb@redhat.com>
|
|
Date: Thu, 15 Jul 2021 13:29:32 +0200
|
|
Subject: [PATCH] sedispatch: improve performance using cache friendly api
|
|
|
|
It turns out that using auparse_goto_record_num() is not cache friendly.
|
|
Since it is only processing AVC events, there is no chance of seeking
|
|
around and missing the AVC record. So, that part of the program is
|
|
switched out to use auparse_next_record() which only moves through the
|
|
event once.
|
|
|
|
Also unused variables were remove and the loop simplified.
|
|
|
|
This change gets about 9% more speed. For reference, this
|
|
is how I checked the speed:
|
|
|
|
time ./sedispatch < /var/log/audit/audit.log >/dev/null
|
|
---
|
|
src/sedispatch.c | 36 +++++++++++-------------------------
|
|
1 file changed, 11 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
|
|
index 49c2fce2a333..f2e9fbaf0743 100644
|
|
--- a/framework/src/sedispatch.c
|
|
+++ b/framework/src/sedispatch.c
|
|
@@ -187,7 +187,7 @@ static int is_setroubleshoot(const char *context) {
|
|
}
|
|
|
|
/* This function shows how to dump a whole record's text */
|
|
-static void dump_whole_record(auparse_state_t *au, void *conn)
|
|
+static void dump_whole_record(auparse_state_t *au)
|
|
{
|
|
size_t size = 1;
|
|
char *tmp = NULL, *end=NULL;
|
|
@@ -228,35 +228,21 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
|
|
}
|
|
|
|
|
|
-/* This function receives a single complete event at a time from the auparse
|
|
- * library. This is where the main analysis code would be added. */
|
|
+/* This function receives a single complete event from auparse. Internal
|
|
+ * cursors are on the first record. This is where the analysis occurs. */
|
|
static void handle_event(auparse_state_t *au,
|
|
auparse_cb_event_t cb_event_type, void *user_data)
|
|
{
|
|
- int type, num=0;
|
|
-
|
|
- DBusConnection* conn =
|
|
- (DBusConnection*) user_data;
|
|
-
|
|
- if (cb_event_type != AUPARSE_CB_EVENT_READY)
|
|
- return;
|
|
-
|
|
- /* Loop through the records in the event looking for one to process.
|
|
- We use physical record number because we may search around and
|
|
- move the cursor accidentally skipping a record. */
|
|
- while (auparse_goto_record_num(au, num) > 0) {
|
|
- type = auparse_get_type(au);
|
|
+ /* Loop through the records looking for an AVC. If we ever process
|
|
+ * other record types without directly returning, we may need to use
|
|
+ * auparse_goto_record_num() to ensure seeing each record. */
|
|
+ do {
|
|
/* Only handle AVCs. */
|
|
- switch (type) {
|
|
- case AUDIT_AVC:
|
|
- dump_whole_record(au, conn);
|
|
- return;
|
|
- break;
|
|
- default:
|
|
- break;
|
|
+ if (auparse_get_type(au) == AUDIT_AVC) {
|
|
+ dump_whole_record(au);
|
|
+ return;
|
|
}
|
|
- num++;
|
|
- }
|
|
+ } while (auparse_next_record(au) > 0);
|
|
}
|
|
|
|
#ifdef NOTUSED
|
|
--
|
|
2.32.0
|
|
|