[PATCH v35 23/29] Audit: Create audit_stamp structure
Paul Moore
paul at paul-moore.com
Tue Apr 26 19:18:13 UTC 2022
On Tue, Apr 26, 2022 at 2:58 PM John Johansen
<john.johansen at canonical.com> wrote:
> On 4/26/22 11:03, Paul Moore wrote:
> > On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> > <john.johansen at canonical.com> wrote:
> >> On 4/18/22 07:59, Casey Schaufler wrote:
> >>> Replace the timestamp and serial number pair used in audit records
> >>> with a structure containing the two elements.
> >>>
> >>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> >>> Acked-by: Paul Moore <paul at paul-moore.com>
> >>> ---
> >>> kernel/audit.c | 17 +++++++++--------
> >>> kernel/audit.h | 12 +++++++++---
> >>> kernel/auditsc.c | 22 +++++++++-------------
> >>> 3 files changed, 27 insertions(+), 24 deletions(-)
> >
> > ...
> >
> >>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>> index 4af63e7dde17..260dab6e0e15 100644
> >>> --- a/kernel/audit.h
> >>> +++ b/kernel/audit.h
> >>> @@ -108,10 +114,10 @@ struct audit_context {
> >>> AUDIT_CTX_URING, /* in use by io_uring */
> >>> } context;
> >>> enum audit_state state, current_state;
> >>> + struct audit_stamp stamp; /* event identifier */
> >>> unsigned int serial; /* serial number for record */
> >>
> >> shouldn't we be dropping serial from the audit_context, since we have
> >> moved it into the audit_stamp?
> >
> > Unless we make some significant changes to audit_log_start() we still
> > need to preserve a timestamp in the audit_context so that regularly
> > associated audit records can share a common timestamp (which is what
> > groups multiple records into a single "event").
> >
> sure, but the patch changes things to use ctx->stamp.serial instead of
> ctx->serial ...
My apologies, I read your original comment wrong; I was thinking you
were suggesting removing the timestamp info from audit_context in
favor of using the timestamp info contained in the audit_buffer.
Yes, audit_context:serial is no longer needed with audit_context:stamp.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list