On Mon, Dec 19, 2022 at 1:00 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > In order to make it possible for the users and tooling to associate an > SELinux AVC trace event with the corresponding audit event, make it > include the audit timestamp (including the "serial number") of the > event. > > First make audit_log_start() include the timestamp in the audit_buffer > struct and add a public helper to retrieve it from an audit_buffer > instance. Then retrieve it in SELinux's avc_audit_post_callback() and > include it in the "avc:selinux_audited" trace event. > > After this patch the even includes the numeric fields that make up the > timestamp and the text representation includes the timestamp in the same > format as used in the audit log - e.g. "audit_ts=1671454430.092:1671". > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > include/linux/audit.h | 8 ++++++++ > include/trace/events/avc.h | 25 +++++++++++++++++-------- > kernel/audit.c | 15 +++++++++++---- > security/selinux/avc.c | 4 +++- > 4 files changed, 39 insertions(+), 13 deletions(-) I'm not really liking the idea of exposing the audit timestamp for use in other subsystems, even if it is just for use in a trace event. I generally take the approach that audit's charter is to capture and log security relevant events to userspace where admins and security officers can use the events to help meet their security goals. While audit may have some value to developers as a debugging tool, that is not its primary purpose, and at this point in time I'm not supportive of adding additional burdens to the audit subsystem to support a debugging use case (I view exporting and maintaining a proper timestamp value/struct an additional requirement on the audit subsystem). -- paul-moore.com
