[PATCH 1/2] audit: introduce a struct to represent an audit timestamp

Casey Schaufler casey at schaufler-ca.com
Mon Dec 19 18:47:15 UTC 2022 

On 12/19/2022 9:54 AM, Ondrej Mosnacek wrote:
> Join the two fields that comprise an audit timestamp into a common
> structure. This will be used further in later commits.

Patch 30/39 of my LSM stacking patchset[1] is almost identical to this.
The only significant difference is the structure name. You use audit_timestamp
whereas I use audit_stamp. I believe that audit_stamp is more correct and
more consistent with the code that uses it. 

[1] https://lore.kernel.org/lkml/f6b8ac05-6900-f57d-0daf-02d5ae53bc47@schaufler-ca.com/T/#m3205b98b2a6b21a296fb831ed35892f01ead191f

>
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
>  include/linux/audit.h |  5 +++++
>  kernel/audit.c        | 16 ++++++++--------
>  kernel/audit.h        |  4 ++--
>  kernel/auditsc.c      |  9 ++++-----
>  4 files changed, 19 insertions(+), 15 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 3608992848d3..788ab93c3be4 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -84,6 +84,11 @@ enum audit_ntp_type {
>  	AUDIT_NTP_NVALS /* count */
>  };
>  
> +struct audit_timestamp {
> +	struct timespec64 t;
> +	unsigned int serial;
> +};
> +
>  #ifdef CONFIG_AUDITSYSCALL
>  struct audit_ntp_val {
>  	long long oldval, newval;
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 9bc0b0301198..aded2d69ea69 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1818,11 +1818,11 @@ unsigned int audit_serial(void)
>  }
>  
>  static inline void audit_get_stamp(struct audit_context *ctx,
> -				   struct timespec64 *t, unsigned int *serial)
> +				   struct audit_timestamp *ts)
>  {
> -	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
> -		ktime_get_coarse_real_ts64(t);
> -		*serial = audit_serial();
> +	if (!ctx || !auditsc_get_stamp(ctx, ts)) {
> +		ktime_get_coarse_real_ts64(&ts->t);
> +		ts->serial = audit_serial();
>  	}
>  }
>  
> @@ -1845,8 +1845,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  				     int type)
>  {
>  	struct audit_buffer *ab;
> -	struct timespec64 t;
> -	unsigned int serial;
> +	struct audit_timestamp ts;
>  
>  	if (audit_initialized != AUDIT_INITIALIZED)
>  		return NULL;
> @@ -1901,12 +1900,13 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  		return NULL;
>  	}
>  
> -	audit_get_stamp(ab->ctx, &t, &serial);
> +	audit_get_stamp(ab->ctx, &ts);
>  	/* cancel dummy context to enable supporting records */
>  	if (ctx)
>  		ctx->dummy = 0;
>  	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
> -			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
> +			 (unsigned long long)ts.t.tv_sec, ts.t.tv_nsec/1000000,
> +			 ts.serial);
>  
>  	return ab;
>  }
> diff --git a/kernel/audit.h b/kernel/audit.h
> index c57b008b9914..e3ea00ea399a 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -262,7 +262,7 @@ extern void audit_put_tty(struct tty_struct *tty);
>  #ifdef CONFIG_AUDITSYSCALL
>  extern unsigned int audit_serial(void);
>  extern int auditsc_get_stamp(struct audit_context *ctx,
> -			      struct timespec64 *t, unsigned int *serial);
> +			     struct audit_timestamp *ts);
>  
>  extern void audit_put_watch(struct audit_watch *watch);
>  extern void audit_get_watch(struct audit_watch *watch);
> @@ -303,7 +303,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
>  				struct audit_context *ctx);
>  extern struct list_head *audit_killed_trees(void);
>  #else /* CONFIG_AUDITSYSCALL */
> -#define auditsc_get_stamp(c, t, s) 0
> +#define auditsc_get_stamp(c, ts) 0
>  #define audit_put_watch(w) do { } while (0)
>  #define audit_get_watch(w) do { } while (0)
>  #define audit_to_watch(k, p, l, o) (-EINVAL)
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9f8c05228d6d..061009ba9959 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2513,16 +2513,15 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
>   *
>   * Also sets the context as auditable.
>   */
> -int auditsc_get_stamp(struct audit_context *ctx,
> -		       struct timespec64 *t, unsigned int *serial)
> +int auditsc_get_stamp(struct audit_context *ctx, struct audit_timestamp *ts)
>  {
>  	if (ctx->context == AUDIT_CTX_UNUSED)
>  		return 0;
>  	if (!ctx->serial)
>  		ctx->serial = audit_serial();
> -	t->tv_sec  = ctx->ctime.tv_sec;
> -	t->tv_nsec = ctx->ctime.tv_nsec;
> -	*serial    = ctx->serial;
> +	ts->t.tv_sec  = ctx->ctime.tv_sec;
> +	ts->t.tv_nsec = ctx->ctime.tv_nsec;
> +	ts->serial    = ctx->serial;
>  	if (!ctx->prio) {
>  		ctx->prio = 1;
>  		ctx->current_state = AUDIT_STATE_RECORD;

More information about the Linux-security-module-archive mailing list