[PATCH] 3/5: LSM hooks rework

From: Kurt Garloff
Date: Sun Feb 13 2005 - 16:20:42 EST

Next message: Kurt Garloff: "[PATCH] 4/5: LSM hooks rework"
Previous message: Kurt Garloff: "[PATCH] 2/5: LSM hooks rework"
In reply to: Kurt Garloff: "[PATCH] 2/5: LSM hooks rework"
Next in thread: Kurt Garloff: "[PATCH] 4/5: LSM hooks rework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kurt Garloff <garloff@xxxxxxx>
Subject: Replace indirect calls by a branch
References: 40217, 39439

In the LSM stub collection, rather do a branch than an indirect
call. Many of the functions called do only return 0 or do nothing
for the default (capability) case.
This is a fast-path optimization; a branch is faster than an
indirect call, even more so if correctly predicted.
This shows a >3% perf. increase in netperf -t TCP_RR benchmark on IA64.
(More exactly: The benchmark was taken with the next two patches
applied as well, but I attribute the main effect to this patch.)

This is patch 3/5 of the LSM overhaul.

include/linux/security.h | 6 +++++-
security/security.c | 2 --
2 files changed, 5 insertions(+), 3 deletions(-)

Signed-off-by: Kurt Garloff <garloff@xxxxxxx>

Index: linux-2.6.10/include/linux/security.h
===================================================================
--- linux-2.6.10.orig/include/linux/security.h
+++ linux-2.6.10/include/linux/security.h
@@ -1241,17 +1241,21 @@ struct security_operations {
};

/* global variables */
extern struct security_operations *security_ops;
+/* default security ops */
+extern struct security_operations capability_security_ops;

/* prototypes */
extern int security_init (void);
extern int register_security (struct security_operations *ops);
extern int unregister_security (struct security_operations *ops);
extern int mod_reg_security (const char *name, struct security_operations *ops);
extern int mod_unreg_security (const char *name, struct security_operations *ops);

-#define COND_SECURITY(seop, def) security_ops->seop
+/* Condition for invocation of non-default security_op */
+#define COND_SECURITY(seop, def) \
+ (security_ops == &capability_security_ops)? def: security_ops->seop

#else /* CONFIG_SECURITY */
static inline int security_init(void)
{
Index: linux-2.6.10/security/security.c
===================================================================
--- linux-2.6.10.orig/security/security.c
+++ linux-2.6.10/security/security.c
@@ -21,10 +21,8 @@
#define SECURITY_FRAMEWORK_VERSION "1.0.0"

/* things that live in dummy.c */
extern void security_fixup_ops (struct security_operations *ops);
-/* default security ops */
-extern struct security_operations capability_security_ops;

struct security_operations *security_ops; /* Initialized to NULL */

static inline int verify(struct security_operations *ops)
--
Kurt Garloff, Director SUSE Labs, Novell Inc.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Kurt Garloff: "[PATCH] 4/5: LSM hooks rework"
Previous message: Kurt Garloff: "[PATCH] 2/5: LSM hooks rework"
In reply to: Kurt Garloff: "[PATCH] 2/5: LSM hooks rework"
Next in thread: Kurt Garloff: "[PATCH] 4/5: LSM hooks rework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]