| Message ID | 20221219175449.1657640-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | Provide matching audit timestamp in the SELinux AVC trace event | expand |
On 12/19/2022 9:54 AM, Ondrej Mosnacek wrote: > Join the two fields that comprise an audit timestamp into a common > structure. This will be used further in later commits. Patch 30/39 of my LSM stacking patchset[1] is almost identical to this. The only significant difference is the structure name. You use audit_timestamp whereas I use audit_stamp. I believe that audit_stamp is more correct and more consistent with the code that uses it. [1] https://lore.kernel.org/lkml/f6b8ac05-6900-f57d-0daf-02d5ae53bc47@schaufler-ca.com/T/#m3205b98b2a6b21a296fb831ed35892f01ead191f > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 16 ++++++++-------- > kernel/audit.h | 4 ++-- > kernel/auditsc.c | 9 ++++----- > 4 files changed, 19 insertions(+), 15 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 3608992848d3..788ab93c3be4 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -84,6 +84,11 @@ enum audit_ntp_type { > AUDIT_NTP_NVALS /* count */ > }; > > +struct audit_timestamp { > + struct timespec64 t; > + unsigned int serial; > +}; > + > #ifdef CONFIG_AUDITSYSCALL > struct audit_ntp_val { > long long oldval, newval; > diff --git a/kernel/audit.c b/kernel/audit.c > index 9bc0b0301198..aded2d69ea69 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1818,11 +1818,11 @@ unsigned int audit_serial(void) > } > > static inline void audit_get_stamp(struct audit_context *ctx, > - struct timespec64 *t, unsigned int *serial) > + struct audit_timestamp *ts) > { > - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { > - ktime_get_coarse_real_ts64(t); > - *serial = audit_serial(); > + if (!ctx || !auditsc_get_stamp(ctx, ts)) { > + ktime_get_coarse_real_ts64(&ts->t); > + ts->serial = audit_serial(); > } > } > > @@ -1845,8 +1845,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, > int type) > { > struct audit_buffer *ab; > - struct timespec64 t; > - unsigned int serial; > + struct audit_timestamp ts; > > if (audit_initialized != AUDIT_INITIALIZED) > return NULL; > @@ -1901,12 +1900,13 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, > return NULL; > } > > - audit_get_stamp(ab->ctx, &t, &serial); > + audit_get_stamp(ab->ctx, &ts); > /* cancel dummy context to enable supporting records */ > if (ctx) > ctx->dummy = 0; > audit_log_format(ab, "audit(%llu.%03lu:%u): ", > - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); > + (unsigned long long)ts.t.tv_sec, ts.t.tv_nsec/1000000, > + ts.serial); > > return ab; > } > diff --git a/kernel/audit.h b/kernel/audit.h > index c57b008b9914..e3ea00ea399a 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -262,7 +262,7 @@ extern void audit_put_tty(struct tty_struct *tty); > #ifdef CONFIG_AUDITSYSCALL > extern unsigned int audit_serial(void); > extern int auditsc_get_stamp(struct audit_context *ctx, > - struct timespec64 *t, unsigned int *serial); > + struct audit_timestamp *ts); > > extern void audit_put_watch(struct audit_watch *watch); > extern void audit_get_watch(struct audit_watch *watch); > @@ -303,7 +303,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, > struct audit_context *ctx); > extern struct list_head *audit_killed_trees(void); > #else /* CONFIG_AUDITSYSCALL */ > -#define auditsc_get_stamp(c, t, s) 0 > +#define auditsc_get_stamp(c, ts) 0 > #define audit_put_watch(w) do { } while (0) > #define audit_get_watch(w) do { } while (0) > #define audit_to_watch(k, p, l, o) (-EINVAL) > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 9f8c05228d6d..061009ba9959 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2513,16 +2513,15 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); > * > * Also sets the context as auditable. > */ > -int auditsc_get_stamp(struct audit_context *ctx, > - struct timespec64 *t, unsigned int *serial) > +int auditsc_get_stamp(struct audit_context *ctx, struct audit_timestamp *ts) > { > if (ctx->context == AUDIT_CTX_UNUSED) > return 0; > if (!ctx->serial) > ctx->serial = audit_serial(); > - t->tv_sec = ctx->ctime.tv_sec; > - t->tv_nsec = ctx->ctime.tv_nsec; > - *serial = ctx->serial; > + ts->t.tv_sec = ctx->ctime.tv_sec; > + ts->t.tv_nsec = ctx->ctime.tv_nsec; > + ts->serial = ctx->serial; > if (!ctx->prio) { > ctx->prio = 1; > ctx->current_state = AUDIT_STATE_RECORD;
On Mon, Dec 19, 2022 at 1:47 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 12/19/2022 9:54 AM, Ondrej Mosnacek wrote: > > Join the two fields that comprise an audit timestamp into a common > > structure. This will be used further in later commits. > > Patch 30/39 of my LSM stacking patchset[1] is almost identical to this. > The only significant difference is the structure name. You use audit_timestamp > whereas I use audit_stamp. I believe that audit_stamp is more correct and > more consistent with the code that uses it. > > [1] https://lore.kernel.org/lkml/f6b8ac05-6900-f57d-0daf-02d5ae53bc47@schaufler-ca.com/T/#m3205b98b2a6b21a296fb831ed35892f01ead191f For the record, if "audit_stamp" and "audit_timestamp" are my only two options I prefer "audit_stamp" simply because it is shorter :) That said, see my comments on patch 2/2. While an audit timestamp struct improvement such as is proposed here and in the LSM stacking patchset is fine, I'm not in favor of exposing the audit timestamp outside the audit subsystem.
diff --git a/include/linux/audit.h b/include/linux/audit.h index 3608992848d3..788ab93c3be4 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -84,6 +84,11 @@ enum audit_ntp_type { AUDIT_NTP_NVALS /* count */ }; +struct audit_timestamp { + struct timespec64 t; + unsigned int serial; +}; + #ifdef CONFIG_AUDITSYSCALL struct audit_ntp_val { long long oldval, newval; diff --git a/kernel/audit.c b/kernel/audit.c index 9bc0b0301198..aded2d69ea69 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1818,11 +1818,11 @@ unsigned int audit_serial(void) } static inline void audit_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) + struct audit_timestamp *ts) { - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_real_ts64(t); - *serial = audit_serial(); + if (!ctx || !auditsc_get_stamp(ctx, ts)) { + ktime_get_coarse_real_ts64(&ts->t); + ts->serial = audit_serial(); } } @@ -1845,8 +1845,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct timespec64 t; - unsigned int serial; + struct audit_timestamp ts; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1901,12 +1900,13 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &t, &serial); + audit_get_stamp(ab->ctx, &ts); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); + (unsigned long long)ts.t.tv_sec, ts.t.tv_nsec/1000000, + ts.serial); return ab; } diff --git a/kernel/audit.h b/kernel/audit.h index c57b008b9914..e3ea00ea399a 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -262,7 +262,7 @@ extern void audit_put_tty(struct tty_struct *tty); #ifdef CONFIG_AUDITSYSCALL extern unsigned int audit_serial(void); extern int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial); + struct audit_timestamp *ts); extern void audit_put_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch); @@ -303,7 +303,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx); extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ -#define auditsc_get_stamp(c, t, s) 0 +#define auditsc_get_stamp(c, ts) 0 #define audit_put_watch(w) do { } while (0) #define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9f8c05228d6d..061009ba9959 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2513,16 +2513,15 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); * * Also sets the context as auditable. */ -int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) +int auditsc_get_stamp(struct audit_context *ctx, struct audit_timestamp *ts) { if (ctx->context == AUDIT_CTX_UNUSED) return 0; if (!ctx->serial) ctx->serial = audit_serial(); - t->tv_sec = ctx->ctime.tv_sec; - t->tv_nsec = ctx->ctime.tv_nsec; - *serial = ctx->serial; + ts->t.tv_sec = ctx->ctime.tv_sec; + ts->t.tv_nsec = ctx->ctime.tv_nsec; + ts->serial = ctx->serial; if (!ctx->prio) { ctx->prio = 1; ctx->current_state = AUDIT_STATE_RECORD;
Join the two fields that comprise an audit timestamp into a common structure. This will be used further in later commits. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- include/linux/audit.h | 5 +++++ kernel/audit.c | 16 ++++++++-------- kernel/audit.h | 4 ++-- kernel/auditsc.c | 9 ++++----- 4 files changed, 19 insertions(+), 15 deletions(-)