ausearch: convert contid to comma/carrat-sep cnode/clist

Convert the contid list from a list of strings to a list of contids for faster and more efficient processing. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs · Dec 19, 2019 · 831c515 · 831c515
1 parent ef87b6f
commit 831c515
Show file tree

Hide file tree

Showing 9 changed files with 313 additions and 122 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -25,7 +25,7 @@ SUBDIRS = test
 AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common
 sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
 AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign
-noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h
+noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h ausearch-contid.h
 
 auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c
 if ENABLE_LISTENER
@@ -41,10 +41,10 @@ auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE
 auditctl_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
 auditctl_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon
 
-aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c
+aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c ausearch-contid.c
 aureport_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon
 
-ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c
+ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c ausearch-contid.c
 ausearch_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon
 
 autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c

diff --git a/src/ausearch-contid.c b/src/ausearch-contid.c
@@ -0,0 +1,171 @@
+/*
+* ausearch-contid.c - Minimal linked list library for contid
+* adapted from ausearch-string.c
+* Copyright (c) 2005,2008,2014,2019 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved. 
+*
+* This software may be freely redistributed and/or modified under the
+* terms of the GNU General Public License as published by the Free
+* Software Foundation; either version 2, or (at your option) any
+* later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; see the file COPYING. If not, write to the
+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor 
+* Boston, MA 02110-1335, USA.
+*
+* Authors:
+*   Steve Grubb <[email protected]>
+*   Richard Guy Briggs <[email protected]>
+*/
+
+#include "ausearch-contid.h"
+#include <stdlib.h>
+
+
+void clist_create(clist *l)
+{
+	l->head = NULL;
+	l->cur = NULL;
+	l->cnt = 0;
+}
+
+void clist_last(clist *l)
+{
+        register cnode* cur;
+
+	if (l->head == NULL)
+		return;
+
+	// Try using cur so that we don't have to start at beginnning
+	if (l->cur)
+		cur = l->cur;
+	else
+	        cur = l->head;
+
+	// Loop until no next value
+	while (cur->next)
+		cur = cur->next;
+	l->cur = cur;
+}
+
+cnode *clist_next(clist *l)
+{
+	if (l->cur == NULL)
+		return NULL;
+	l->cur = l->cur->next;
+	return l->cur;
+}
+
+void clist_append(clist *l, cnode *node)
+{
+	cnode* newnode;
+
+	newnode = malloc(sizeof(cnode));
+
+	newnode->id = node->id;
+	newnode->hits = node->hits;
+	newnode->next = NULL;
+
+	// Make sure cursor is at the end
+	clist_last(l);
+
+	// if we are at top, fix this up
+	if (l->head == NULL)
+		l->head = newnode;
+	else	// Otherwise add pointer to newnode
+		l->cur->next = newnode;
+
+	// make newnode current
+	l->cur = newnode;
+	l->cnt++;
+}
+
+void clist_clear(clist* l)
+{
+	cnode* nextnode;
+	register cnode* current;
+
+	current = l->head;
+	while (current) {
+		nextnode=current->next;
+		free(current);
+		current=nextnode;
+	}
+	l->head = NULL;
+	l->cur = NULL;
+	l->cnt = 0;
+}
+
+/* This function dominates the timing of aureport. Needs to be more efficient */
+int clist_add_if_uniq(clist *l, const unsigned long long id)
+{
+	cnode cn;
+        register cnode *cur;
+
+	if (id == (unsigned long long)-1)
+		return -1;
+
+       	cur = l->head;
+	while (cur) {
+		if (id == cur->id) {
+			cur->hits++;
+			l->cur = cur;
+			return 0;
+		} else 
+			cur = cur->next;
+	}
+
+	/* No matches, append to the end */
+	cn.id = id;
+	cn.hits = 1;
+	clist_append(l, &cn);
+	return 1;
+}
+
+// If lprev would be NULL, use l->head
+static void swap_nodes(cnode *lprev, cnode *left, cnode *right)
+{
+	cnode *t = right->next;
+	if (lprev)
+		lprev->next = right;
+	right->next = left;
+	left->next = t;
+}
+
+// This will sort the list from most hits to least
+void clist_sort_by_hits(clist *l)
+{
+	register cnode* cur, *prev;
+
+	if (l->cnt <= 1)
+		return;
+
+	prev = cur = l->head;
+
+	while (cur && cur->next) {
+		/* If the next node is bigger */
+		if (cur->hits < cur->next->hits) {
+			if (cur == l->head) {
+				// Update the actual list head
+				l->head = cur->next;
+				prev = NULL;
+			}
+			swap_nodes(prev, cur, cur->next);
+
+			// start over
+			prev = cur = l->head;
+			continue;
+		}
+		prev = cur;
+		cur = cur->next;
+	}
+	// End with cur pointing at first record
+	l->cur = l->head;
+}
+
diff --git a/src/ausearch-contid.h b/src/ausearch-contid.h
@@ -0,0 +1,61 @@
+/*
+* ausearch-contid.h - Header file for ausearch-contid.c
+* adapted from ausearch-string.h
+* Copyright (c) 2005,2008,2019 Red Hat Inc., Durham, North Carolina.
+* All Rights Reserved.
+*
+* This software may be freely redistributed and/or modified under the
+* terms of the GNU General Public License as published by the Free
+* Software Foundation; either version 2, or (at your option) any
+* later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; see the file COPYING. If not, write to the
+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor 
+* Boston, MA 02110-1335, USA.
+*
+* Authors:
+*   Steve Grubb <[email protected]>
+*   Richard Guy Briggs <[email protected]>
+*/
+
+#ifndef AUCONTID_HEADER
+#define AUCONTID_HEADER
+
+#include "config.h"
+
+/* This is the node of the linked list. message & item are the only elements
+ * at this time. Any data elements that are per item goes here. */
+typedef struct _cnode{
+  unsigned long long id;		// The audit container id
+  unsigned int hits;	// Number of times this contid was attempted to be added
+  struct _cnode* next;	// Next contid node pointer
+} cnode;
+
+/* This is the linked list head. Only data elements that are 1 per
+ * event goes here. */
+typedef struct {
+  cnode *head;		// List head
+  cnode *cur;		// Pointer to current node
+  unsigned int cnt;	// How many items in this list
+} clist;
+
+void clist_create(clist *l);
+static inline void clist_first(clist *l) { l->cur = l->head; }
+void clist_last(clist *l);
+cnode *clist_next(clist *l);
+static inline cnode *clist_get_cur(clist *l) { return l->cur; }
+void clist_append(clist *l, cnode *node);
+void clist_clear(clist* l);
+
+/* append a contid if its not already on the list */
+int clist_add_if_uniq(clist *l, const unsigned long long id);
+void clist_sort_by_hits(clist *l);
+
+#endif
+
diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
@@ -213,7 +213,7 @@ void list_clear(llist* l)
 	l->s.syscall = 0;
 	l->s.session_id = -2;
 	if (l->s.contid) {
-		slist_clear(l->s.contid);
+		clist_clear(l->s.contid);
 		free(l->s.contid);
 		l->s.contid = NULL;
 	}

diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
@@ -31,6 +31,7 @@
 #include <sys/types.h>
 #include "ausearch-string.h"
 #include "ausearch-avc.h"
+#include "ausearch-contid.h"
 #include "ausearch-common.h"
 
 
@@ -56,7 +57,7 @@ typedef struct
   int arch;             // arch
   int syscall;          // syscall
   uint32_t session_id;  // Login session id
-  slist *contid;        // Container id
+  clist *contid;        // Container id
   long long exit;       // Syscall exit code
   int exit_is_set;      // Syscall exit code is valid
   char *hostname;       // remote hostname

diff --git a/src/ausearch-match.c b/src/ausearch-match.c
@@ -424,32 +424,28 @@ static int context_match(llist *l)
 static int contid_match(llist *l)
 {
 	if (event_contid) {
-		int found = 0;
-		const snode *ecn;
-		slist *ecptr = event_contid;
+		const cnode *ecn;
+		clist *ecptr = event_contid;
 
-		slist_first(ecptr);
-		ecn = slist_get_cur(ecptr);
+		clist_first(ecptr);
+		ecn = clist_get_cur(ecptr);
 		if (l->s.contid) {
-			while (ecn && !found) {
-				const snode *sn;
-				slist *sptr = l->s.contid;
+			while (ecn) {
+				const cnode *cn;
+				clist *cptr = l->s.contid;
 
-				slist_first(sptr);
-				sn = slist_get_cur(sptr);
-				while (sn && !found) {
-					if (!strcmp(sn->str, ecn->str))
-						found++;
-					else
-						sn = slist_next(sptr);
+				clist_first(cptr);
+				cn = clist_get_cur(cptr);
+				while (cn) {
+					if (cn->id == ecn->id)
+						return 1;
+					cn = clist_next(cptr);
 				}
-				if (found)
-					return found;
-				ecn = slist_next(ecptr);
+				ecn = clist_next(ecptr);
 			}
-			return found;
 		}
+		return 0;
 	}
-	return 0;
+	return 1;
 }
 
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
@@ -60,7 +60,7 @@ int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
 uint32_t event_session_id = -2;
-const char *event_contid = NULL;
+clist *event_contid = NULL;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int line_buffered = 0;
@@ -1201,6 +1201,7 @@ int check_params(int count, char *vars[])
 			size_t len = strlen(optarg);
 			if (isdigit(optarg[0])) {
 				__u64 contid;
+				cnode cn;
 
 				errno = 0;
 				contid = strtoull(optarg,NULL,0);
@@ -1211,21 +1212,21 @@ int check_params(int count, char *vars[])
 					retval = -1;
 				} else {
 					if (!event_contid) {
-						event_contid = malloc(sizeof(slist));
+						event_contid = malloc(sizeof(clist));
 						if (!event_contid) {
 							retval = -1;
 							break;
 						}
-						slist_create(event_contid);
+						clist_create(event_contid);
 					}
-					sn.str = strdup(optarg);
-					sn.key = NULL;
-					sn.hits = 0;
-					slist_append(event_contid, &sn);
+					cn.id = contid;
+					cn.hits = 0;
+					clist_append(event_contid, &cn);
 				}
 			} else if (len >= 2 && *(optarg)=='-' &&
 					(isdigit(optarg[1]))) {
 				__u64 contid;
+				cnode cn;
 
 				errno = 0;
 				contid = strtoll(optarg, NULL, 0);
@@ -1235,17 +1236,16 @@ int check_params(int count, char *vars[])
 						optarg);
 				} else {
 					if (!event_contid) {
-						event_contid = malloc(sizeof(slist));
+						event_contid = malloc(sizeof(clist));
 						if (!event_contid) {
 							retval = -1;
 							break;
 						}
-						slist_create(event_contid);
+						clist_create(event_contid);
 					}
-					sn.str = strdup(optarg);
-					sn.key = NULL;
-					sn.hits = 0;
-					slist_append(event_contid, &sn);
+					cn.id = contid;
+					cn.hits = 0;
+					clist_append(event_contid, &cn);
 				}
 			} else {
 				fprintf(stderr,