On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> On 4/26/2022 12:18 PM, Paul Moore wrote:
> > On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> > <john.johansen@xxxxxxxxxxxxx> wrote:
> >> On 4/26/22 11:03, Paul Moore wrote:
> >>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> >>> <john.johansen@xxxxxxxxxxxxx> wrote:
> >>>> On 4/18/22 07:59, Casey Schaufler wrote:
> >>>>> Replace the timestamp and serial number pair used in audit records
> >>>>> with a structure containing the two elements.
> >>>>>
> >>>>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> >>>>> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> >>>>> ---
> >>>>> kernel/audit.c | 17 +++++++++--------
> >>>>> kernel/audit.h | 12 +++++++++---
> >>>>> kernel/auditsc.c | 22 +++++++++-------------
> >>>>> 3 files changed, 27 insertions(+), 24 deletions(-)
> >>> ...
> >>>
> >>>>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>>>> index 4af63e7dde17..260dab6e0e15 100644
> >>>>> --- a/kernel/audit.h
> >>>>> +++ b/kernel/audit.h
> >>>>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>>> AUDIT_CTX_URING, /* in use by io_uring */
> >>>>> } context;
> >>>>> enum audit_state state, current_state;
> >>>>> + struct audit_stamp stamp; /* event identifier */
> >>>>> unsigned int serial; /* serial number for record */
> >>>> shouldn't we be dropping serial from the audit_context, since we have
> >>>> moved it into the audit_stamp?
> >>> Unless we make some significant changes to audit_log_start() we still
> >>> need to preserve a timestamp in the audit_context so that regularly
> >>> associated audit records can share a common timestamp (which is what
> >>> groups multiple records into a single "event").
> >>>
> >> sure, but the patch changes things to use ctx->stamp.serial instead of
> >> ctx->serial ...
> > My apologies, I read your original comment wrong; I was thinking you
> > were suggesting removing the timestamp info from audit_context in
> > favor of using the timestamp info contained in the audit_buffer.
> >
> > Yes, audit_context:serial is no longer needed with audit_context:stamp.
>
> Thank you for catching that. Easy (I expect) fix.
> BTW, I'm not supposed to be working the next few weeks,
> but I should be able to sneak v36 in before the next merge
> window.
Enjoy the time away :)
FWIW, this isn't my call to make, but I would strongly prefer if this
got a *full* run in linux-next before it was merged into Linus' tree
during the merge window. For example, get this into the LSM -next
tree at -rc1 instead of -rc6.
--
paul-moore.com
