https://bugzilla.novell.com/show_bug.cgi?id=333739#c11
--- Comment #11 from Tony Jones 2007-10-25 18:37:01 MST ---
Ok. So your "default kernel, audit off: 6.443 seconds" middle case is being
caused by a minor bug where at fork time the TIF_SYSCALL_AUDIT thread flag
isn't being cleared (when copied from a parent which was created when audit was
enabled) so the syscall entry isn't taking the optimal fast path. I'll
upstream a fix for this later today, but it's not especially relevant to the
bug itself.
Verified with above fix, your benchmark post auditctl -e0 now runs as fast as a
kernel compiled without CONFIG_AUDITSYSCALL (2.998 seconds in your example).
The performance with audit enabled (8.312 seconds in your example) is still
crappy. The overhead of the syscall auditing is obviously high for minimal
workload syscalls. Looks to be some room for optimization but it'll always add
overhead.
For 10.3, the issue is that auditd is being started in a manner where audit
contexts are being created. I'm going to talk to PM about how we should handle
this, possibly re-enable the previous patch so audit starts in a disabled
state.
In the ultra short term, if you don't care about having audit enabled, you can
just disable it via chkconfig.
If you have suggestions/comments, let me know.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.