On Mon, Apr 25, 2022 at 7:31 PM John Johansen
<john.johansen@xxxxxxxxxxxxx> wrote:
> On 4/18/22 07:59, Casey Schaufler wrote:
> > Replace the timestamp and serial number pair used in audit records
> > with a structure containing the two elements.
> >
> > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > ---
> > kernel/audit.c | 17 +++++++++--------
> > kernel/audit.h | 12 +++++++++---
> > kernel/auditsc.c | 22 +++++++++-------------
> > 3 files changed, 27 insertions(+), 24 deletions(-)
...
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 4af63e7dde17..260dab6e0e15 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -108,10 +114,10 @@ struct audit_context {
> > AUDIT_CTX_URING, /* in use by io_uring */
> > } context;
> > enum audit_state state, current_state;
> > + struct audit_stamp stamp; /* event identifier */
> > unsigned int serial; /* serial number for record */
>
> shouldn't we be dropping serial from the audit_context, since we have
> moved it into the audit_stamp?
Unless we make some significant changes to audit_log_start() we still
need to preserve a timestamp in the audit_context so that regularly
associated audit records can share a common timestamp (which is what
groups multiple records into a single "event").
FWIW, I'm working on some patches which will make a lot of this better
in the future, but they aren't ready yet and would almost surely land
after the stacking patches. Audit will get better at some point in
the future, I promise :)
--
paul-moore.com
