[PATCH v35 23/29] Audit: Create audit_stamp structure

Paul Moore paul at paul-moore.com
Tue Apr 26 19:18:13 UTC 2022 

On Tue, Apr 26, 2022 at 2:58 PM John Johansen
<john.johansen at canonical.com> wrote:
> On 4/26/22 11:03, Paul Moore wrote:
> > On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> > <john.johansen at canonical.com> wrote:
> >> On 4/18/22 07:59, Casey Schaufler wrote:
> >>> Replace the timestamp and serial number pair used in audit records
> >>> with a structure containing the two elements.
> >>>
> >>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> >>> Acked-by: Paul Moore <paul at paul-moore.com>
> >>> ---
> >>>  kernel/audit.c   | 17 +++++++++--------
> >>>  kernel/audit.h   | 12 +++++++++---
> >>>  kernel/auditsc.c | 22 +++++++++-------------
> >>>  3 files changed, 27 insertions(+), 24 deletions(-)
> >
> > ...
> >
> >>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>> index 4af63e7dde17..260dab6e0e15 100644
> >>> --- a/kernel/audit.h
> >>> +++ b/kernel/audit.h
> >>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>               AUDIT_CTX_URING,        /* in use by io_uring */
> >>>       } context;
> >>>       enum audit_state    state, current_state;
> >>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>       unsigned int        serial;     /* serial number for record */
> >>
> >> shouldn't we be dropping serial from the audit_context, since we have
> >> moved it into the audit_stamp?
> >
> > Unless we make some significant changes to audit_log_start() we still
> > need to preserve a timestamp in the audit_context so that regularly
> > associated audit records can share a common timestamp (which is what
> > groups multiple records into a single "event").
> >
> sure, but the patch changes things to use ctx->stamp.serial instead of
> ctx->serial ...

My apologies, I read your original comment wrong; I was thinking you
were suggesting removing the timestamp info from audit_context in
favor of using the timestamp info contained in the audit_buffer.

Yes, audit_context:serial is no longer needed with audit_context:stamp.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list