[v35,23/29] Audit: Create audit_stamp structure

Message ID	20220418145945.38797-24-casey@schaufler-ca.com (mailing list archive)
State	Changes Requested
Delegated to:	Paul Moore
Headers	show Return-Path: <selinux-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v35 23/29] Audit: Create audit_stamp structure Date: Mon, 18 Apr 2022 07:59:39 -0700 Message-Id: <20220418145945.38797-24-casey@schaufler-ca.com> In-Reply-To: <20220418145945.38797-1-casey@schaufler-ca.com> References: <20220418145945.38797-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v35,01/29] integrity: disassociate ima_filter_rule from security_audit_rule \| expand [v35,01/29] integrity: disassociate ima_filter_rule from security_audit_rule [v35,02/29] LSM: Infrastructure management of the sock security [v35,03/29] LSM: Add the lsmblob data structure. [v35,04/29] LSM: provide lsm name and id slot mappings [v35,05/29] IMA: avoid label collisions with stacked LSMs [v35,06/29] LSM: Use lsmblob in security_audit_rule_match [v35,07/29] LSM: Use lsmblob in security_kernel_act_as [v35,08/29] LSM: Use lsmblob in security_secctx_to_secid [v35,09/29] LSM: Use lsmblob in security_secid_to_secctx [v35,10/29] LSM: Use lsmblob in security_ipc_getsecid [v35,11/29] LSM: Use lsmblob in security_current_getsecid [v35,12/29] LSM: Use lsmblob in security_inode_getsecid [v35,13/29] LSM: Use lsmblob in security_cred_getsecid [v35,14/29] LSM: Specify which LSM to display [v35,15/29] LSM: Ensure the correct LSM context releaser [v35,16/29] LSM: Use lsmcontext in security_secid_to_secctx [v35,17/29] LSM: Use lsmcontext in security_inode_getsecctx [v35,18/29] LSM: security_secid_to_secctx in netlink netfilter [v35,19/29] NET: Store LSM netlabel data in a lsmblob [v35,20/29] binder: Pass LSM identifier for confirmation [v35,21/29] LSM: Extend security_secid_to_secctx to include module selection [v35,22/29] Audit: Keep multiple LSM data in audit_names [v35,23/29] Audit: Create audit_stamp structure [v35,24/29] LSM: Add a function to report multiple LSMs [v35,25/29] Audit: Allow multiple records in an audit_buffer [v35,26/29] Audit: Add record for multiple task security contexts [v35,27/29] Audit: Add record for multiple object contexts [v35,28/29] LSM: Add /proc attr entry for full LSM context [v35,29/29] AppArmor: Remove the exclusive flag

Casey Schaufler April 18, 2022, 2:59 p.m. UTC

Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 kernel/audit.c   | 17 +++++++++--------
 kernel/audit.h   | 12 +++++++++---
 kernel/auditsc.c | 22 +++++++++-------------
 3 files changed, 27 insertions(+), 24 deletions(-)

John Johansen April 25, 2022, 11:31 p.m. UTC | #1

On 4/18/22 07:59, Casey Schaufler wrote:
> Replace the timestamp and serial number pair used in audit records
> with a structure containing the two elements.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Acked-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c   | 17 +++++++++--------
>  kernel/audit.h   | 12 +++++++++---
>  kernel/auditsc.c | 22 +++++++++-------------
>  3 files changed, 27 insertions(+), 24 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 28ff7a5f90bd..6b6c089512f7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1822,11 +1822,11 @@ unsigned int audit_serial(void)
>  }
>  
>  static inline void audit_get_stamp(struct audit_context *ctx,
> -				   struct timespec64 *t, unsigned int *serial)
> +				   struct audit_stamp *stamp)
>  {
> -	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
> -		ktime_get_coarse_real_ts64(t);
> -		*serial = audit_serial();
> +	if (!ctx || !auditsc_get_stamp(ctx, stamp)) {
> +		ktime_get_coarse_real_ts64(&stamp->ctime);
> +		stamp->serial = audit_serial();
>  	}
>  }
>  
> @@ -1849,8 +1849,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  				     int type)
>  {
>  	struct audit_buffer *ab;
> -	struct timespec64 t;
> -	unsigned int serial;
> +	struct audit_stamp stamp;
>  
>  	if (audit_initialized != AUDIT_INITIALIZED)
>  		return NULL;
> @@ -1905,12 +1904,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  		return NULL;
>  	}
>  
> -	audit_get_stamp(ab->ctx, &t, &serial);
> +	audit_get_stamp(ab->ctx, &stamp);
>  	/* cancel dummy context to enable supporting records */
>  	if (ctx)
>  		ctx->dummy = 0;
>  	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
> -			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
> +			 (unsigned long long)stamp.ctime.tv_sec,
> +			 stamp.ctime.tv_nsec/1000000,
> +			 stamp.serial);
>  
>  	return ab;
>  }
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 4af63e7dde17..260dab6e0e15 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -99,6 +99,12 @@ struct audit_proctitle {
>  	char	*value;	/* the cmdline field */
>  };
>  
> +/* A timestamp/serial pair to identify an event */
> +struct audit_stamp {
> +	struct timespec64	ctime;	/* time of syscall entry */
> +	unsigned int		serial;	/* serial number for record */
> +};
> +
>  /* The per-task audit context. */
>  struct audit_context {
>  	int		    dummy;	/* must be the first element */
> @@ -108,10 +114,10 @@ struct audit_context {
>  		AUDIT_CTX_URING,	/* in use by io_uring */
>  	} context;
>  	enum audit_state    state, current_state;
> +	struct audit_stamp  stamp;	/* event identifier */
>  	unsigned int	    serial;     /* serial number for record */

shouldn't we be dropping serial from the audit_context, since we have
moved it into the audit_stamp?

>  	int		    major;      /* syscall number */
>  	int		    uring_op;   /* uring operation */
> -	struct timespec64   ctime;      /* time of syscall entry */
>  	unsigned long	    argv[4];    /* syscall arguments */
>  	long		    return_code;/* syscall return code */
>  	u64		    prio;
> @@ -265,7 +271,7 @@ extern void audit_put_tty(struct tty_struct *tty);
>  #ifdef CONFIG_AUDITSYSCALL
>  extern unsigned int audit_serial(void);
>  extern int auditsc_get_stamp(struct audit_context *ctx,
> -			      struct timespec64 *t, unsigned int *serial);
> +			     struct audit_stamp *stamp);
>  
>  extern void audit_put_watch(struct audit_watch *watch);
>  extern void audit_get_watch(struct audit_watch *watch);
> @@ -306,7 +312,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
>  				struct audit_context *ctx);
>  extern struct list_head *audit_killed_trees(void);
>  #else /* CONFIG_AUDITSYSCALL */
> -#define auditsc_get_stamp(c, t, s) 0
> +#define auditsc_get_stamp(c, s) 0
>  #define audit_put_watch(w) do { } while (0)
>  #define audit_get_watch(w) do { } while (0)
>  #define audit_to_watch(k, p, l, o) (-EINVAL)
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6fe9f2525fc1..557713954a69 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -992,10 +992,10 @@ static void audit_reset_context(struct audit_context *ctx)
>  	 */
>  
>  	ctx->current_state = ctx->state;
> -	ctx->serial = 0;
> +	ctx->stamp.serial = 0;
>  	ctx->major = 0;
>  	ctx->uring_op = 0;
> -	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
> +	ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
>  	memset(ctx->argv, 0, sizeof(ctx->argv));
>  	ctx->return_code = 0;
>  	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
> @@ -1950,7 +1950,7 @@ void __audit_uring_entry(u8 op)
>  
>  	ctx->context = AUDIT_CTX_URING;
>  	ctx->current_state = ctx->state;
> -	ktime_get_coarse_real_ts64(&ctx->ctime);
> +	ktime_get_coarse_real_ts64(&ctx->stamp.ctime);
>  }
>  
>  /**
> @@ -2066,7 +2066,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
>  	context->argv[3]    = a4;
>  	context->context = AUDIT_CTX_SYSCALL;
>  	context->current_state  = state;
> -	ktime_get_coarse_real_ts64(&context->ctime);
> +	ktime_get_coarse_real_ts64(&context->stamp.ctime);
>  }
>  
>  /**
> @@ -2535,21 +2535,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
>  /**
>   * auditsc_get_stamp - get local copies of audit_context values
>   * @ctx: audit_context for the task
> - * @t: timespec64 to store time recorded in the audit_context
> - * @serial: serial value that is recorded in the audit_context
> + * @stamp: timestamp to record
>   *
>   * Also sets the context as auditable.
>   */
> -int auditsc_get_stamp(struct audit_context *ctx,
> -		       struct timespec64 *t, unsigned int *serial)
> +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp)
>  {
>  	if (ctx->context == AUDIT_CTX_UNUSED)
>  		return 0;
> -	if (!ctx->serial)
> -		ctx->serial = audit_serial();
> -	t->tv_sec  = ctx->ctime.tv_sec;
> -	t->tv_nsec = ctx->ctime.tv_nsec;
> -	*serial    = ctx->serial;
> +	if (!ctx->stamp.serial)
> +		ctx->stamp.serial = audit_serial();
> +	*stamp = ctx->stamp;
>  	if (!ctx->prio) {
>  		ctx->prio = 1;
>  		ctx->current_state = AUDIT_STATE_RECORD;

Paul Moore April 26, 2022, 6:03 p.m. UTC | #2

On Mon, Apr 25, 2022 at 7:31 PM John Johansen
<john.johansen@canonical.com> wrote:
> On 4/18/22 07:59, Casey Schaufler wrote:
> > Replace the timestamp and serial number pair used in audit records
> > with a structure containing the two elements.
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > Acked-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  kernel/audit.c   | 17 +++++++++--------
> >  kernel/audit.h   | 12 +++++++++---
> >  kernel/auditsc.c | 22 +++++++++-------------
> >  3 files changed, 27 insertions(+), 24 deletions(-)

...

> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 4af63e7dde17..260dab6e0e15 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -108,10 +114,10 @@ struct audit_context {
> >               AUDIT_CTX_URING,        /* in use by io_uring */
> >       } context;
> >       enum audit_state    state, current_state;
> > +     struct audit_stamp  stamp;      /* event identifier */
> >       unsigned int        serial;     /* serial number for record */
>
> shouldn't we be dropping serial from the audit_context, since we have
> moved it into the audit_stamp?

Unless we make some significant changes to audit_log_start() we still
need to preserve a timestamp in the audit_context so that regularly
associated audit records can share a common timestamp (which is what
groups multiple records into a single "event").

FWIW, I'm working on some patches which will make a lot of this better
in the future, but they aren't ready yet and would almost surely land
after the stacking patches.  Audit will get better at some point in
the future, I promise :)

--
paul-moore.com

John Johansen April 26, 2022, 6:58 p.m. UTC | #3

On 4/26/22 11:03, Paul Moore wrote:
> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> <john.johansen@canonical.com> wrote:
>> On 4/18/22 07:59, Casey Schaufler wrote:
>>> Replace the timestamp and serial number pair used in audit records
>>> with a structure containing the two elements.
>>>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>> ---
>>>  kernel/audit.c   | 17 +++++++++--------
>>>  kernel/audit.h   | 12 +++++++++---
>>>  kernel/auditsc.c | 22 +++++++++-------------
>>>  3 files changed, 27 insertions(+), 24 deletions(-)
> 
> ...
> 
>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>> index 4af63e7dde17..260dab6e0e15 100644
>>> --- a/kernel/audit.h
>>> +++ b/kernel/audit.h
>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>               AUDIT_CTX_URING,        /* in use by io_uring */
>>>       } context;
>>>       enum audit_state    state, current_state;
>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>       unsigned int        serial;     /* serial number for record */
>>
>> shouldn't we be dropping serial from the audit_context, since we have
>> moved it into the audit_stamp?
> 
> Unless we make some significant changes to audit_log_start() we still
> need to preserve a timestamp in the audit_context so that regularly
> associated audit records can share a common timestamp (which is what
> groups multiple records into a single "event").
> 
sure, but the patch changes things to use ctx->stamp.serial instead of
ctx->serial. Eg. in audit_reset_context() we have

-	ctx->serial = 0;
+	ctx->stamp.serial = 0;

I don't see a reason why we need both ctx->serial and ctx->stamp.serial

Paul Moore April 26, 2022, 7:18 p.m. UTC | #4

On Tue, Apr 26, 2022 at 2:58 PM John Johansen
<john.johansen@canonical.com> wrote:
> On 4/26/22 11:03, Paul Moore wrote:
> > On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> > <john.johansen@canonical.com> wrote:
> >> On 4/18/22 07:59, Casey Schaufler wrote:
> >>> Replace the timestamp and serial number pair used in audit records
> >>> with a structure containing the two elements.
> >>>
> >>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >>> Acked-by: Paul Moore <paul@paul-moore.com>
> >>> ---
> >>>  kernel/audit.c   | 17 +++++++++--------
> >>>  kernel/audit.h   | 12 +++++++++---
> >>>  kernel/auditsc.c | 22 +++++++++-------------
> >>>  3 files changed, 27 insertions(+), 24 deletions(-)
> >
> > ...
> >
> >>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>> index 4af63e7dde17..260dab6e0e15 100644
> >>> --- a/kernel/audit.h
> >>> +++ b/kernel/audit.h
> >>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>               AUDIT_CTX_URING,        /* in use by io_uring */
> >>>       } context;
> >>>       enum audit_state    state, current_state;
> >>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>       unsigned int        serial;     /* serial number for record */
> >>
> >> shouldn't we be dropping serial from the audit_context, since we have
> >> moved it into the audit_stamp?
> >
> > Unless we make some significant changes to audit_log_start() we still
> > need to preserve a timestamp in the audit_context so that regularly
> > associated audit records can share a common timestamp (which is what
> > groups multiple records into a single "event").
> >
> sure, but the patch changes things to use ctx->stamp.serial instead of
> ctx->serial ...

My apologies, I read your original comment wrong; I was thinking you
were suggesting removing the timestamp info from audit_context in
favor of using the timestamp info contained in the audit_buffer.

Yes, audit_context:serial is no longer needed with audit_context:stamp.

Casey Schaufler April 27, 2022, 3:49 p.m. UTC | #5

On 4/26/2022 12:18 PM, Paul Moore wrote:
> On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> <john.johansen@canonical.com> wrote:
>> On 4/26/22 11:03, Paul Moore wrote:
>>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
>>> <john.johansen@canonical.com> wrote:
>>>> On 4/18/22 07:59, Casey Schaufler wrote:
>>>>> Replace the timestamp and serial number pair used in audit records
>>>>> with a structure containing the two elements.
>>>>>
>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>>> ---
>>>>>   kernel/audit.c   | 17 +++++++++--------
>>>>>   kernel/audit.h   | 12 +++++++++---
>>>>>   kernel/auditsc.c | 22 +++++++++-------------
>>>>>   3 files changed, 27 insertions(+), 24 deletions(-)
>>> ...
>>>
>>>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>>>> index 4af63e7dde17..260dab6e0e15 100644
>>>>> --- a/kernel/audit.h
>>>>> +++ b/kernel/audit.h
>>>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>>>                AUDIT_CTX_URING,        /* in use by io_uring */
>>>>>        } context;
>>>>>        enum audit_state    state, current_state;
>>>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>>>        unsigned int        serial;     /* serial number for record */
>>>> shouldn't we be dropping serial from the audit_context, since we have
>>>> moved it into the audit_stamp?
>>> Unless we make some significant changes to audit_log_start() we still
>>> need to preserve a timestamp in the audit_context so that regularly
>>> associated audit records can share a common timestamp (which is what
>>> groups multiple records into a single "event").
>>>
>> sure, but the patch changes things to use ctx->stamp.serial instead of
>> ctx->serial ...
> My apologies, I read your original comment wrong; I was thinking you
> were suggesting removing the timestamp info from audit_context in
> favor of using the timestamp info contained in the audit_buffer.
>
> Yes, audit_context:serial is no longer needed with audit_context:stamp.

Thank you for catching that. Easy (I expect) fix.
BTW, I'm not supposed to be working the next few weeks,
but I should be able to sneak v36 in before the next merge
window.

Paul Moore April 27, 2022, 4:02 p.m. UTC | #6

On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 4/26/2022 12:18 PM, Paul Moore wrote:
> > On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> > <john.johansen@canonical.com> wrote:
> >> On 4/26/22 11:03, Paul Moore wrote:
> >>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> >>> <john.johansen@canonical.com> wrote:
> >>>> On 4/18/22 07:59, Casey Schaufler wrote:
> >>>>> Replace the timestamp and serial number pair used in audit records
> >>>>> with a structure containing the two elements.
> >>>>>
> >>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >>>>> Acked-by: Paul Moore <paul@paul-moore.com>
> >>>>> ---
> >>>>>   kernel/audit.c   | 17 +++++++++--------
> >>>>>   kernel/audit.h   | 12 +++++++++---
> >>>>>   kernel/auditsc.c | 22 +++++++++-------------
> >>>>>   3 files changed, 27 insertions(+), 24 deletions(-)
> >>> ...
> >>>
> >>>>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>>>> index 4af63e7dde17..260dab6e0e15 100644
> >>>>> --- a/kernel/audit.h
> >>>>> +++ b/kernel/audit.h
> >>>>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>>>                AUDIT_CTX_URING,        /* in use by io_uring */
> >>>>>        } context;
> >>>>>        enum audit_state    state, current_state;
> >>>>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>>>        unsigned int        serial;     /* serial number for record */
> >>>> shouldn't we be dropping serial from the audit_context, since we have
> >>>> moved it into the audit_stamp?
> >>> Unless we make some significant changes to audit_log_start() we still
> >>> need to preserve a timestamp in the audit_context so that regularly
> >>> associated audit records can share a common timestamp (which is what
> >>> groups multiple records into a single "event").
> >>>
> >> sure, but the patch changes things to use ctx->stamp.serial instead of
> >> ctx->serial ...
> > My apologies, I read your original comment wrong; I was thinking you
> > were suggesting removing the timestamp info from audit_context in
> > favor of using the timestamp info contained in the audit_buffer.
> >
> > Yes, audit_context:serial is no longer needed with audit_context:stamp.
>
> Thank you for catching that. Easy (I expect) fix.
> BTW, I'm not supposed to be working the next few weeks,
> but I should be able to sneak v36 in before the next merge
> window.

Enjoy the time away :)

FWIW, this isn't my call to make, but I would strongly prefer if this
got a *full* run in linux-next before it was merged into Linus' tree
during the merge window.  For example, get this into the LSM -next
tree at -rc1 instead of -rc6.

Casey Schaufler April 27, 2022, 8:55 p.m. UTC | #7

On 4/27/2022 9:02 AM, Paul Moore wrote:
> On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 4/26/2022 12:18 PM, Paul Moore wrote:
>>> On Tue, Apr 26, 2022 at 2:58 PM John Johansen
>>> <john.johansen@canonical.com> wrote:
>>>> On 4/26/22 11:03, Paul Moore wrote:
>>>>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
>>>>> <john.johansen@canonical.com> wrote:
>>>>>> On 4/18/22 07:59, Casey Schaufler wrote:
>>>>>>> Replace the timestamp and serial number pair used in audit records
>>>>>>> with a structure containing the two elements.
>>>>>>>
>>>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>>>>> ---
>>>>>>>    kernel/audit.c   | 17 +++++++++--------
>>>>>>>    kernel/audit.h   | 12 +++++++++---
>>>>>>>    kernel/auditsc.c | 22 +++++++++-------------
>>>>>>>    3 files changed, 27 insertions(+), 24 deletions(-)
>>>>> ...
>>>>>
>>>>>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>>>>>> index 4af63e7dde17..260dab6e0e15 100644
>>>>>>> --- a/kernel/audit.h
>>>>>>> +++ b/kernel/audit.h
>>>>>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>>>>>                 AUDIT_CTX_URING,        /* in use by io_uring */
>>>>>>>         } context;
>>>>>>>         enum audit_state    state, current_state;
>>>>>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>>>>>         unsigned int        serial;     /* serial number for record */
>>>>>> shouldn't we be dropping serial from the audit_context, since we have
>>>>>> moved it into the audit_stamp?
>>>>> Unless we make some significant changes to audit_log_start() we still
>>>>> need to preserve a timestamp in the audit_context so that regularly
>>>>> associated audit records can share a common timestamp (which is what
>>>>> groups multiple records into a single "event").
>>>>>
>>>> sure, but the patch changes things to use ctx->stamp.serial instead of
>>>> ctx->serial ...
>>> My apologies, I read your original comment wrong; I was thinking you
>>> were suggesting removing the timestamp info from audit_context in
>>> favor of using the timestamp info contained in the audit_buffer.
>>>
>>> Yes, audit_context:serial is no longer needed with audit_context:stamp.
>> Thank you for catching that. Easy (I expect) fix.
>> BTW, I'm not supposed to be working the next few weeks,
>> but I should be able to sneak v36 in before the next merge
>> window.
> Enjoy the time away :)
>
> FWIW, this isn't my call to make, but I would strongly prefer if this
> got a *full* run in linux-next before it was merged into Linus' tree
> during the merge window.  For example, get this into the LSM -next
> tree at -rc1 instead of -rc6.

I am in complete agreement. There's too much Murphy to rush it.

[v35,23/29] Audit: Create audit_stamp structure

Commit Message

Comments

Patch