Hi, this optimizes the case where no LSM is loaded and the (new) default capablities is used. These are not called via indirect calls but called as hardcoded calls and might thus be inlined; the price for this is a conditional -- benchmarks done by hp showed this to be beneficial (on ia64). Enjoy, -- Kurt Garloff, Director SUSE Labs, Novell Inc.
From: Kurt Garloff <[email protected]> Subject: Replace indirect calls by a branch References: SUSE40217, SUSE39439 In the LSM stub collection, rather do a branch than an indirect call. Many of the functions called do only return 0 or do nothing for the default (capability) case. This is a fast-path optimization; a branch is faster than an indirect call, even more so if correctly predicted. This shows a >3% perf. increase in netperf -t TCP_RR benchmark on IA64. (More exactly: The benchmark was taken with the next two patches applied as well, but I attribute the main effect to this patch.) This is patch 3/5 of the LSM overhaul. include/linux/security.h | 6 +++++- security/security.c | 2 -- 2 files changed, 5 insertions(+), 3 deletions(-) Signed-off-by: Kurt Garloff <[email protected]> Index: linux-2.6.12/include/linux/security.h =================================================================== --- linux-2.6.12.orig/include/linux/security.h +++ linux-2.6.12/include/linux/security.h @@ -1246,17 +1246,21 @@ struct security_operations { }; /* global variables */ extern struct security_operations *security_ops; +/* default security ops */ +extern struct security_operations capability_security_ops; /* prototypes */ extern int security_init (void); extern int register_security (struct security_operations *ops); extern int unregister_security (struct security_operations *ops); extern int mod_reg_security (const char *name, struct security_operations *ops); extern int mod_unreg_security (const char *name, struct security_operations *ops); -# define COND_SECURITY(seop, def) security_ops->seop +/* Condition for invocation of non-default security_op */ +# define COND_SECURITY(seop, def) \ + (security_ops == &capability_security_ops)? def: security_ops->seop # else /* CONFIG_SECURITY */ static inline int security_init(void) { Index: linux-2.6.12/security/security.c =================================================================== --- linux-2.6.12.orig/security/security.c +++ linux-2.6.12/security/security.c @@ -21,10 +21,8 @@ #define SECURITY_FRAMEWORK_VERSION "1.0.0" /* things that live in dummy.c */ extern void security_fixup_ops (struct security_operations *ops); -/* default security ops */ -extern struct security_operations capability_security_ops; struct security_operations *security_ops; /* Initialized to NULL */ static inline int verify(struct security_operations *ops)
Attachment:
pgp2j7evokhUl.pgp
Description: PGP signature
- Follow-Ups:
- Re: [PATCH 3/3] Use conditional
- From: Tony Jones <[email protected]>
- Re: [PATCH 3/3] Use conditional
- From: James Morris <[email protected]>
- Re: [PATCH 3/3] Use conditional
- Prev by Date: [PATCH 2b/3] Cleanup the security stubs
- Next by Date: Re: FUSE merging? (2)
- Previous by thread: [PATCH 2b/3] Cleanup the security stubs
- Next by thread: Re: [PATCH 3/3] Use conditional
- Index(es):