On Mon, Apr 18, 2022 at 11:12 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > Replace the single skb pointer in an audit_buffer with > a list of skb pointers. Add the audit_stamp information > to the audit_buffer as there's no guarantee that there > will be an audit_context containing the stamp associated > with the event. At audit_log_end() time create auxiliary > records (none are currently defined) as have been added > to the list. > > Suggested-by: Paul Moore <paul@xxxxxxxxxxxxxx> > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > --- > kernel/audit.c | 62 +++++++++++++++++++++++++++++++------------------- > 1 file changed, 39 insertions(+), 23 deletions(-) I believe the audit_buffer_aux_new() and audit_buffer_aux_end() functions from patch 26/29 belong in this patch, but otherwise it looks okay to me. Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
