[PATCH v35 23/29] Audit: Create audit_stamp structure
Paul Moore
paul at paul-moore.com
Tue Apr 26 18:03:02 UTC 2022
On Mon, Apr 25, 2022 at 7:31 PM John Johansen
<john.johansen at canonical.com> wrote:
> On 4/18/22 07:59, Casey Schaufler wrote:
> > Replace the timestamp and serial number pair used in audit records
> > with a structure containing the two elements.
> >
> > Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> > Acked-by: Paul Moore <paul at paul-moore.com>
> > ---
> > kernel/audit.c | 17 +++++++++--------
> > kernel/audit.h | 12 +++++++++---
> > kernel/auditsc.c | 22 +++++++++-------------
> > 3 files changed, 27 insertions(+), 24 deletions(-)
...
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 4af63e7dde17..260dab6e0e15 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -108,10 +114,10 @@ struct audit_context {
> > AUDIT_CTX_URING, /* in use by io_uring */
> > } context;
> > enum audit_state state, current_state;
> > + struct audit_stamp stamp; /* event identifier */
> > unsigned int serial; /* serial number for record */
>
> shouldn't we be dropping serial from the audit_context, since we have
> moved it into the audit_stamp?
Unless we make some significant changes to audit_log_start() we still
need to preserve a timestamp in the audit_context so that regularly
associated audit records can share a common timestamp (which is what
groups multiple records into a single "event").
FWIW, I'm working on some patches which will make a lot of this better
in the future, but they aren't ready yet and would almost surely land
after the stacking patches. Audit will get better at some point in
the future, I promise :)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list