diff mbox series

[v35,23/29] Audit: Create audit_stamp structure

Message ID 20220418145945.38797-24-casey@schaufler-ca.com (mailing list archive)
State New
Headers show
Series [v35,01/29] integrity: disassociate ima_filter_rule from security_audit_rule | expand

Commit Message

Casey Schaufler April 18, 2022, 2:59 p.m. UTC
Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 kernel/audit.c   | 17 +++++++++--------
 kernel/audit.h   | 12 +++++++++---
 kernel/auditsc.c | 22 +++++++++-------------
 3 files changed, 27 insertions(+), 24 deletions(-)

Comments

John Johansen April 25, 2022, 11:31 p.m. UTC | #1
On 4/18/22 07:59, Casey Schaufler wrote:
> Replace the timestamp and serial number pair used in audit records
> with a structure containing the two elements.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Acked-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c   | 17 +++++++++--------
>  kernel/audit.h   | 12 +++++++++---
>  kernel/auditsc.c | 22 +++++++++-------------
>  3 files changed, 27 insertions(+), 24 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 28ff7a5f90bd..6b6c089512f7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1822,11 +1822,11 @@ unsigned int audit_serial(void)
>  }
>  
>  static inline void audit_get_stamp(struct audit_context *ctx,
> -				   struct timespec64 *t, unsigned int *serial)
> +				   struct audit_stamp *stamp)
>  {
> -	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
> -		ktime_get_coarse_real_ts64(t);
> -		*serial = audit_serial();
> +	if (!ctx || !auditsc_get_stamp(ctx, stamp)) {
> +		ktime_get_coarse_real_ts64(&stamp->ctime);
> +		stamp->serial = audit_serial();
>  	}
>  }
>  
> @@ -1849,8 +1849,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  				     int type)
>  {
>  	struct audit_buffer *ab;
> -	struct timespec64 t;
> -	unsigned int serial;
> +	struct audit_stamp stamp;
>  
>  	if (audit_initialized != AUDIT_INITIALIZED)
>  		return NULL;
> @@ -1905,12 +1904,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  		return NULL;
>  	}
>  
> -	audit_get_stamp(ab->ctx, &t, &serial);
> +	audit_get_stamp(ab->ctx, &stamp);
>  	/* cancel dummy context to enable supporting records */
>  	if (ctx)
>  		ctx->dummy = 0;
>  	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
> -			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
> +			 (unsigned long long)stamp.ctime.tv_sec,
> +			 stamp.ctime.tv_nsec/1000000,
> +			 stamp.serial);
>  
>  	return ab;
>  }
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 4af63e7dde17..260dab6e0e15 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -99,6 +99,12 @@ struct audit_proctitle {
>  	char	*value;	/* the cmdline field */
>  };
>  
> +/* A timestamp/serial pair to identify an event */
> +struct audit_stamp {
> +	struct timespec64	ctime;	/* time of syscall entry */
> +	unsigned int		serial;	/* serial number for record */
> +};
> +
>  /* The per-task audit context. */
>  struct audit_context {
>  	int		    dummy;	/* must be the first element */
> @@ -108,10 +114,10 @@ struct audit_context {
>  		AUDIT_CTX_URING,	/* in use by io_uring */
>  	} context;
>  	enum audit_state    state, current_state;
> +	struct audit_stamp  stamp;	/* event identifier */
>  	unsigned int	    serial;     /* serial number for record */

shouldn't we be dropping serial from the audit_context, since we have
moved it into the audit_stamp?

>  	int		    major;      /* syscall number */
>  	int		    uring_op;   /* uring operation */
> -	struct timespec64   ctime;      /* time of syscall entry */
>  	unsigned long	    argv[4];    /* syscall arguments */
>  	long		    return_code;/* syscall return code */
>  	u64		    prio;
> @@ -265,7 +271,7 @@ extern void audit_put_tty(struct tty_struct *tty);
>  #ifdef CONFIG_AUDITSYSCALL
>  extern unsigned int audit_serial(void);
>  extern int auditsc_get_stamp(struct audit_context *ctx,
> -			      struct timespec64 *t, unsigned int *serial);
> +			     struct audit_stamp *stamp);
>  
>  extern void audit_put_watch(struct audit_watch *watch);
>  extern void audit_get_watch(struct audit_watch *watch);
> @@ -306,7 +312,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
>  				struct audit_context *ctx);
>  extern struct list_head *audit_killed_trees(void);
>  #else /* CONFIG_AUDITSYSCALL */
> -#define auditsc_get_stamp(c, t, s) 0
> +#define auditsc_get_stamp(c, s) 0
>  #define audit_put_watch(w) do { } while (0)
>  #define audit_get_watch(w) do { } while (0)
>  #define audit_to_watch(k, p, l, o) (-EINVAL)
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6fe9f2525fc1..557713954a69 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -992,10 +992,10 @@ static void audit_reset_context(struct audit_context *ctx)
>  	 */
>  
>  	ctx->current_state = ctx->state;
> -	ctx->serial = 0;
> +	ctx->stamp.serial = 0;
>  	ctx->major = 0;
>  	ctx->uring_op = 0;
> -	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
> +	ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
>  	memset(ctx->argv, 0, sizeof(ctx->argv));
>  	ctx->return_code = 0;
>  	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
> @@ -1950,7 +1950,7 @@ void __audit_uring_entry(u8 op)
>  
>  	ctx->context = AUDIT_CTX_URING;
>  	ctx->current_state = ctx->state;
> -	ktime_get_coarse_real_ts64(&ctx->ctime);
> +	ktime_get_coarse_real_ts64(&ctx->stamp.ctime);
>  }
>  
>  /**
> @@ -2066,7 +2066,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
>  	context->argv[3]    = a4;
>  	context->context = AUDIT_CTX_SYSCALL;
>  	context->current_state  = state;
> -	ktime_get_coarse_real_ts64(&context->ctime);
> +	ktime_get_coarse_real_ts64(&context->stamp.ctime);
>  }
>  
>  /**
> @@ -2535,21 +2535,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
>  /**
>   * auditsc_get_stamp - get local copies of audit_context values
>   * @ctx: audit_context for the task
> - * @t: timespec64 to store time recorded in the audit_context
> - * @serial: serial value that is recorded in the audit_context
> + * @stamp: timestamp to record
>   *
>   * Also sets the context as auditable.
>   */
> -int auditsc_get_stamp(struct audit_context *ctx,
> -		       struct timespec64 *t, unsigned int *serial)
> +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp)
>  {
>  	if (ctx->context == AUDIT_CTX_UNUSED)
>  		return 0;
> -	if (!ctx->serial)
> -		ctx->serial = audit_serial();
> -	t->tv_sec  = ctx->ctime.tv_sec;
> -	t->tv_nsec = ctx->ctime.tv_nsec;
> -	*serial    = ctx->serial;
> +	if (!ctx->stamp.serial)
> +		ctx->stamp.serial = audit_serial();
> +	*stamp = ctx->stamp;
>  	if (!ctx->prio) {
>  		ctx->prio = 1;
>  		ctx->current_state = AUDIT_STATE_RECORD;
Paul Moore April 26, 2022, 6:03 p.m. UTC | #2
On Mon, Apr 25, 2022 at 7:31 PM John Johansen
<john.johansen@canonical.com> wrote:
> On 4/18/22 07:59, Casey Schaufler wrote:
> > Replace the timestamp and serial number pair used in audit records
> > with a structure containing the two elements.
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > Acked-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  kernel/audit.c   | 17 +++++++++--------
> >  kernel/audit.h   | 12 +++++++++---
> >  kernel/auditsc.c | 22 +++++++++-------------
> >  3 files changed, 27 insertions(+), 24 deletions(-)

...

> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 4af63e7dde17..260dab6e0e15 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -108,10 +114,10 @@ struct audit_context {
> >               AUDIT_CTX_URING,        /* in use by io_uring */
> >       } context;
> >       enum audit_state    state, current_state;
> > +     struct audit_stamp  stamp;      /* event identifier */
> >       unsigned int        serial;     /* serial number for record */
>
> shouldn't we be dropping serial from the audit_context, since we have
> moved it into the audit_stamp?

Unless we make some significant changes to audit_log_start() we still
need to preserve a timestamp in the audit_context so that regularly
associated audit records can share a common timestamp (which is what
groups multiple records into a single "event").

FWIW, I'm working on some patches which will make a lot of this better
in the future, but they aren't ready yet and would almost surely land
after the stacking patches.  Audit will get better at some point in
the future, I promise :)

--
paul-moore.com
John Johansen April 26, 2022, 6:58 p.m. UTC | #3
On 4/26/22 11:03, Paul Moore wrote:
> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> <john.johansen@canonical.com> wrote:
>> On 4/18/22 07:59, Casey Schaufler wrote:
>>> Replace the timestamp and serial number pair used in audit records
>>> with a structure containing the two elements.
>>>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>> ---
>>>  kernel/audit.c   | 17 +++++++++--------
>>>  kernel/audit.h   | 12 +++++++++---
>>>  kernel/auditsc.c | 22 +++++++++-------------
>>>  3 files changed, 27 insertions(+), 24 deletions(-)
> 
> ...
> 
>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>> index 4af63e7dde17..260dab6e0e15 100644
>>> --- a/kernel/audit.h
>>> +++ b/kernel/audit.h
>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>               AUDIT_CTX_URING,        /* in use by io_uring */
>>>       } context;
>>>       enum audit_state    state, current_state;
>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>       unsigned int        serial;     /* serial number for record */
>>
>> shouldn't we be dropping serial from the audit_context, since we have
>> moved it into the audit_stamp?
> 
> Unless we make some significant changes to audit_log_start() we still
> need to preserve a timestamp in the audit_context so that regularly
> associated audit records can share a common timestamp (which is what
> groups multiple records into a single "event").
> 
sure, but the patch changes things to use ctx->stamp.serial instead of
ctx->serial. Eg. in audit_reset_context() we have

-	ctx->serial = 0;
+	ctx->stamp.serial = 0;

I don't see a reason why we need both ctx->serial and ctx->stamp.serial
Paul Moore April 26, 2022, 7:18 p.m. UTC | #4
On Tue, Apr 26, 2022 at 2:58 PM John Johansen
<john.johansen@canonical.com> wrote:
> On 4/26/22 11:03, Paul Moore wrote:
> > On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> > <john.johansen@canonical.com> wrote:
> >> On 4/18/22 07:59, Casey Schaufler wrote:
> >>> Replace the timestamp and serial number pair used in audit records
> >>> with a structure containing the two elements.
> >>>
> >>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >>> Acked-by: Paul Moore <paul@paul-moore.com>
> >>> ---
> >>>  kernel/audit.c   | 17 +++++++++--------
> >>>  kernel/audit.h   | 12 +++++++++---
> >>>  kernel/auditsc.c | 22 +++++++++-------------
> >>>  3 files changed, 27 insertions(+), 24 deletions(-)
> >
> > ...
> >
> >>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>> index 4af63e7dde17..260dab6e0e15 100644
> >>> --- a/kernel/audit.h
> >>> +++ b/kernel/audit.h
> >>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>               AUDIT_CTX_URING,        /* in use by io_uring */
> >>>       } context;
> >>>       enum audit_state    state, current_state;
> >>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>       unsigned int        serial;     /* serial number for record */
> >>
> >> shouldn't we be dropping serial from the audit_context, since we have
> >> moved it into the audit_stamp?
> >
> > Unless we make some significant changes to audit_log_start() we still
> > need to preserve a timestamp in the audit_context so that regularly
> > associated audit records can share a common timestamp (which is what
> > groups multiple records into a single "event").
> >
> sure, but the patch changes things to use ctx->stamp.serial instead of
> ctx->serial ...

My apologies, I read your original comment wrong; I was thinking you
were suggesting removing the timestamp info from audit_context in
favor of using the timestamp info contained in the audit_buffer.

Yes, audit_context:serial is no longer needed with audit_context:stamp.
Casey Schaufler April 27, 2022, 3:49 p.m. UTC | #5
On 4/26/2022 12:18 PM, Paul Moore wrote:
> On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> <john.johansen@canonical.com> wrote:
>> On 4/26/22 11:03, Paul Moore wrote:
>>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
>>> <john.johansen@canonical.com> wrote:
>>>> On 4/18/22 07:59, Casey Schaufler wrote:
>>>>> Replace the timestamp and serial number pair used in audit records
>>>>> with a structure containing the two elements.
>>>>>
>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>>> ---
>>>>>   kernel/audit.c   | 17 +++++++++--------
>>>>>   kernel/audit.h   | 12 +++++++++---
>>>>>   kernel/auditsc.c | 22 +++++++++-------------
>>>>>   3 files changed, 27 insertions(+), 24 deletions(-)
>>> ...
>>>
>>>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>>>> index 4af63e7dde17..260dab6e0e15 100644
>>>>> --- a/kernel/audit.h
>>>>> +++ b/kernel/audit.h
>>>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>>>                AUDIT_CTX_URING,        /* in use by io_uring */
>>>>>        } context;
>>>>>        enum audit_state    state, current_state;
>>>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>>>        unsigned int        serial;     /* serial number for record */
>>>> shouldn't we be dropping serial from the audit_context, since we have
>>>> moved it into the audit_stamp?
>>> Unless we make some significant changes to audit_log_start() we still
>>> need to preserve a timestamp in the audit_context so that regularly
>>> associated audit records can share a common timestamp (which is what
>>> groups multiple records into a single "event").
>>>
>> sure, but the patch changes things to use ctx->stamp.serial instead of
>> ctx->serial ...
> My apologies, I read your original comment wrong; I was thinking you
> were suggesting removing the timestamp info from audit_context in
> favor of using the timestamp info contained in the audit_buffer.
>
> Yes, audit_context:serial is no longer needed with audit_context:stamp.

Thank you for catching that. Easy (I expect) fix.
BTW, I'm not supposed to be working the next few weeks,
but I should be able to sneak v36 in before the next merge
window.
Paul Moore April 27, 2022, 4:02 p.m. UTC | #6
On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 4/26/2022 12:18 PM, Paul Moore wrote:
> > On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> > <john.johansen@canonical.com> wrote:
> >> On 4/26/22 11:03, Paul Moore wrote:
> >>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> >>> <john.johansen@canonical.com> wrote:
> >>>> On 4/18/22 07:59, Casey Schaufler wrote:
> >>>>> Replace the timestamp and serial number pair used in audit records
> >>>>> with a structure containing the two elements.
> >>>>>
> >>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >>>>> Acked-by: Paul Moore <paul@paul-moore.com>
> >>>>> ---
> >>>>>   kernel/audit.c   | 17 +++++++++--------
> >>>>>   kernel/audit.h   | 12 +++++++++---
> >>>>>   kernel/auditsc.c | 22 +++++++++-------------
> >>>>>   3 files changed, 27 insertions(+), 24 deletions(-)
> >>> ...
> >>>
> >>>>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>>>> index 4af63e7dde17..260dab6e0e15 100644
> >>>>> --- a/kernel/audit.h
> >>>>> +++ b/kernel/audit.h
> >>>>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>>>                AUDIT_CTX_URING,        /* in use by io_uring */
> >>>>>        } context;
> >>>>>        enum audit_state    state, current_state;
> >>>>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>>>        unsigned int        serial;     /* serial number for record */
> >>>> shouldn't we be dropping serial from the audit_context, since we have
> >>>> moved it into the audit_stamp?
> >>> Unless we make some significant changes to audit_log_start() we still
> >>> need to preserve a timestamp in the audit_context so that regularly
> >>> associated audit records can share a common timestamp (which is what
> >>> groups multiple records into a single "event").
> >>>
> >> sure, but the patch changes things to use ctx->stamp.serial instead of
> >> ctx->serial ...
> > My apologies, I read your original comment wrong; I was thinking you
> > were suggesting removing the timestamp info from audit_context in
> > favor of using the timestamp info contained in the audit_buffer.
> >
> > Yes, audit_context:serial is no longer needed with audit_context:stamp.
>
> Thank you for catching that. Easy (I expect) fix.
> BTW, I'm not supposed to be working the next few weeks,
> but I should be able to sneak v36 in before the next merge
> window.

Enjoy the time away :)

FWIW, this isn't my call to make, but I would strongly prefer if this
got a *full* run in linux-next before it was merged into Linus' tree
during the merge window.  For example, get this into the LSM -next
tree at -rc1 instead of -rc6.
Casey Schaufler April 27, 2022, 8:55 p.m. UTC | #7
On 4/27/2022 9:02 AM, Paul Moore wrote:
> On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 4/26/2022 12:18 PM, Paul Moore wrote:
>>> On Tue, Apr 26, 2022 at 2:58 PM John Johansen
>>> <john.johansen@canonical.com> wrote:
>>>> On 4/26/22 11:03, Paul Moore wrote:
>>>>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
>>>>> <john.johansen@canonical.com> wrote:
>>>>>> On 4/18/22 07:59, Casey Schaufler wrote:
>>>>>>> Replace the timestamp and serial number pair used in audit records
>>>>>>> with a structure containing the two elements.
>>>>>>>
>>>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>>>>> ---
>>>>>>>    kernel/audit.c   | 17 +++++++++--------
>>>>>>>    kernel/audit.h   | 12 +++++++++---
>>>>>>>    kernel/auditsc.c | 22 +++++++++-------------
>>>>>>>    3 files changed, 27 insertions(+), 24 deletions(-)
>>>>> ...
>>>>>
>>>>>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>>>>>> index 4af63e7dde17..260dab6e0e15 100644
>>>>>>> --- a/kernel/audit.h
>>>>>>> +++ b/kernel/audit.h
>>>>>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>>>>>                 AUDIT_CTX_URING,        /* in use by io_uring */
>>>>>>>         } context;
>>>>>>>         enum audit_state    state, current_state;
>>>>>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>>>>>         unsigned int        serial;     /* serial number for record */
>>>>>> shouldn't we be dropping serial from the audit_context, since we have
>>>>>> moved it into the audit_stamp?
>>>>> Unless we make some significant changes to audit_log_start() we still
>>>>> need to preserve a timestamp in the audit_context so that regularly
>>>>> associated audit records can share a common timestamp (which is what
>>>>> groups multiple records into a single "event").
>>>>>
>>>> sure, but the patch changes things to use ctx->stamp.serial instead of
>>>> ctx->serial ...
>>> My apologies, I read your original comment wrong; I was thinking you
>>> were suggesting removing the timestamp info from audit_context in
>>> favor of using the timestamp info contained in the audit_buffer.
>>>
>>> Yes, audit_context:serial is no longer needed with audit_context:stamp.
>> Thank you for catching that. Easy (I expect) fix.
>> BTW, I'm not supposed to be working the next few weeks,
>> but I should be able to sneak v36 in before the next merge
>> window.
> Enjoy the time away :)
>
> FWIW, this isn't my call to make, but I would strongly prefer if this
> got a *full* run in linux-next before it was merged into Linus' tree
> during the merge window.  For example, get this into the LSM -next
> tree at -rc1 instead of -rc6.

I am in complete agreement. There's too much Murphy to rush it.
diff mbox series

Patch

diff --git a/kernel/audit.c b/kernel/audit.c
index 28ff7a5f90bd..6b6c089512f7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1822,11 +1822,11 @@  unsigned int audit_serial(void)
 }
 
 static inline void audit_get_stamp(struct audit_context *ctx,
-				   struct timespec64 *t, unsigned int *serial)
+				   struct audit_stamp *stamp)
 {
-	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
-		ktime_get_coarse_real_ts64(t);
-		*serial = audit_serial();
+	if (!ctx || !auditsc_get_stamp(ctx, stamp)) {
+		ktime_get_coarse_real_ts64(&stamp->ctime);
+		stamp->serial = audit_serial();
 	}
 }
 
@@ -1849,8 +1849,7 @@  struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
 	struct audit_buffer *ab;
-	struct timespec64 t;
-	unsigned int serial;
+	struct audit_stamp stamp;
 
 	if (audit_initialized != AUDIT_INITIALIZED)
 		return NULL;
@@ -1905,12 +1904,14 @@  struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 		return NULL;
 	}
 
-	audit_get_stamp(ab->ctx, &t, &serial);
+	audit_get_stamp(ab->ctx, &stamp);
 	/* cancel dummy context to enable supporting records */
 	if (ctx)
 		ctx->dummy = 0;
 	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
-			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
+			 (unsigned long long)stamp.ctime.tv_sec,
+			 stamp.ctime.tv_nsec/1000000,
+			 stamp.serial);
 
 	return ab;
 }
diff --git a/kernel/audit.h b/kernel/audit.h
index 4af63e7dde17..260dab6e0e15 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -99,6 +99,12 @@  struct audit_proctitle {
 	char	*value;	/* the cmdline field */
 };
 
+/* A timestamp/serial pair to identify an event */
+struct audit_stamp {
+	struct timespec64	ctime;	/* time of syscall entry */
+	unsigned int		serial;	/* serial number for record */
+};
+
 /* The per-task audit context. */
 struct audit_context {
 	int		    dummy;	/* must be the first element */
@@ -108,10 +114,10 @@  struct audit_context {
 		AUDIT_CTX_URING,	/* in use by io_uring */
 	} context;
 	enum audit_state    state, current_state;
+	struct audit_stamp  stamp;	/* event identifier */
 	unsigned int	    serial;     /* serial number for record */
 	int		    major;      /* syscall number */
 	int		    uring_op;   /* uring operation */
-	struct timespec64   ctime;      /* time of syscall entry */
 	unsigned long	    argv[4];    /* syscall arguments */
 	long		    return_code;/* syscall return code */
 	u64		    prio;
@@ -265,7 +271,7 @@  extern void audit_put_tty(struct tty_struct *tty);
 #ifdef CONFIG_AUDITSYSCALL
 extern unsigned int audit_serial(void);
 extern int auditsc_get_stamp(struct audit_context *ctx,
-			      struct timespec64 *t, unsigned int *serial);
+			     struct audit_stamp *stamp);
 
 extern void audit_put_watch(struct audit_watch *watch);
 extern void audit_get_watch(struct audit_watch *watch);
@@ -306,7 +312,7 @@  extern void audit_filter_inodes(struct task_struct *tsk,
 				struct audit_context *ctx);
 extern struct list_head *audit_killed_trees(void);
 #else /* CONFIG_AUDITSYSCALL */
-#define auditsc_get_stamp(c, t, s) 0
+#define auditsc_get_stamp(c, s) 0
 #define audit_put_watch(w) do { } while (0)
 #define audit_get_watch(w) do { } while (0)
 #define audit_to_watch(k, p, l, o) (-EINVAL)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6fe9f2525fc1..557713954a69 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -992,10 +992,10 @@  static void audit_reset_context(struct audit_context *ctx)
 	 */
 
 	ctx->current_state = ctx->state;
-	ctx->serial = 0;
+	ctx->stamp.serial = 0;
 	ctx->major = 0;
 	ctx->uring_op = 0;
-	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
+	ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
 	memset(ctx->argv, 0, sizeof(ctx->argv));
 	ctx->return_code = 0;
 	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
@@ -1950,7 +1950,7 @@  void __audit_uring_entry(u8 op)
 
 	ctx->context = AUDIT_CTX_URING;
 	ctx->current_state = ctx->state;
-	ktime_get_coarse_real_ts64(&ctx->ctime);
+	ktime_get_coarse_real_ts64(&ctx->stamp.ctime);
 }
 
 /**
@@ -2066,7 +2066,7 @@  void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
 	context->argv[3]    = a4;
 	context->context = AUDIT_CTX_SYSCALL;
 	context->current_state  = state;
-	ktime_get_coarse_real_ts64(&context->ctime);
+	ktime_get_coarse_real_ts64(&context->stamp.ctime);
 }
 
 /**
@@ -2535,21 +2535,17 @@  EXPORT_SYMBOL_GPL(__audit_inode_child);
 /**
  * auditsc_get_stamp - get local copies of audit_context values
  * @ctx: audit_context for the task
- * @t: timespec64 to store time recorded in the audit_context
- * @serial: serial value that is recorded in the audit_context
+ * @stamp: timestamp to record
  *
  * Also sets the context as auditable.
  */
-int auditsc_get_stamp(struct audit_context *ctx,
-		       struct timespec64 *t, unsigned int *serial)
+int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp)
 {
 	if (ctx->context == AUDIT_CTX_UNUSED)
 		return 0;
-	if (!ctx->serial)
-		ctx->serial = audit_serial();
-	t->tv_sec  = ctx->ctime.tv_sec;
-	t->tv_nsec = ctx->ctime.tv_nsec;
-	*serial    = ctx->serial;
+	if (!ctx->stamp.serial)
+		ctx->stamp.serial = audit_serial();
+	*stamp = ctx->stamp;
 	if (!ctx->prio) {
 		ctx->prio = 1;
 		ctx->current_state = AUDIT_STATE_RECORD;