Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp912573imm; Sat, 22 Sep 2018 13:43:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV622dtQGtB3MQsrIZbAwM7nzzyfYCF3jT0OoVRWx/2zu/gXr5h98CDKzTI4bidMvRJ0ylq00 X-Received: by 2002:a17:902:8542:: with SMTP id d2-v6mr3921795plo.285.1537648990736; Sat, 22 Sep 2018 13:43:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537648990; cv=none; d=google.com; s=arc-20160816; b=Wzs0lA8aZUjaP0uPEdO4jsu1YGevmqrNxiSj8uxEbP3TFosEQpFxYXYtePfGLt85zd 4CfWeoug8XcAOeBPSmamZJlMFliRHsNhGfw8zXT20joAx6sSdN598JMakX1gmG9Osb+T jPqSuGpliPL3ZEpgYlkBwlOk6JiuO+SxhdkZ1tRe08tofgbV5nFbenNqkAMJOf++pk5Q oYHaaDKZXXZPliYfYTCMeaC7i28w1HBw1XQMhbFqcJDhdfJXBAJv4tWuQ84hwlQkwhU/ LK4xwFbJ7kEEDuYXkRbIcka/aMHGNYVbgkCNWl30BOeiksYgsoZhvjS1HReOHlKAGgfW o2Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=1F53DeP330QpWm2udvHwsXVnMMzggjVWGKIFG7fDbcE=; b=jgRRc6BVVCS2wSbPVB3il2eN3J9eYKxXQqDvr2rpErrAGhVQ4UZMX/ZfM5I1cT1nVB 3vwLLji9rwAMdYIzc5H2p0liAG+qu/MqlZjQwuMRzNFHgTT2QrYW2DNWk+PDMkR63vAv gZxs/Ro4rEA9ngLGlk4TbtKuIIvxa/0L9UIVD6qwUSOXwut3KKMbIWjeieNhbZB7LTcP qftgNRGw1upaP46dlVrRv2O2An2N3ZFDGKxpKsq+R2UKkii2Wd1Jpr5dUrnW4qkjk94I kUVAauBqJYcPCO5qQ6u0pdPM+8UK667r2QgUB1lywJeFcBVjiU/1+2W3Rm/lvy8HylEQ 6FHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BZU3fDXm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g26-v6si30412378pgb.349.2018.09.22.13.42.53; Sat, 22 Sep 2018 13:43:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BZU3fDXm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728115AbeIWChl (ORCPT + 99 others); Sat, 22 Sep 2018 22:37:41 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:41195 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727988AbeIWChl (ORCPT ); Sat, 22 Sep 2018 22:37:41 -0400 Received: by mail-lj1-f195.google.com with SMTP id y17-v6so14992684ljy.8 for ; Sat, 22 Sep 2018 13:42:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1F53DeP330QpWm2udvHwsXVnMMzggjVWGKIFG7fDbcE=; b=BZU3fDXmofOSiKkB+H6OVheCTKDv7bpWWLQ2DPKOsTRUoC0NS7D8WbP+NMBdMtBAAR n1Wav1ST3c0XIPpxZAGzO2dyChtcCyojLgmQr/660mehltrR7sSz/1JsMgI/uos766D6 rsSEcgVrUyZ+sbvstUQjQzBgy6Qsq2MXQmZh11TLWN6CYzauThx1jCfJgGQut2DGX6lP 8r8K3E/L7njq2Q/FeOHCOWux0iIQkUVeFDhD5pWGqF/sH3ftwG7ndBvdGuuzGXjp0DSC B8Q7RuJANtbvjjVPAhrs7nANpDLQ2CVxEDBplW/yv7pMZLtHEAnNPREHyMVDdH0fnRNy u4HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1F53DeP330QpWm2udvHwsXVnMMzggjVWGKIFG7fDbcE=; b=sCy5cbFhw0Wh3vE0D2e0sMwjpNiqMNq4d/r+WP4zvjpq4xvvWm7TGg4qU33bWJQ71j 8aVlMz7lOHvy8cM6FgNY5C5KX/zyGjS4v9lkdzaoUfw/t6On8nitlJjJkhaAGnxQUkm9 IxSfvsQZ3rqIlYpg/ev/4C5f7PTgDKJKw+sWYvbDZdgGP2rGSj/pUD5z1bvF1m14NKtQ 7D22oOA0PE+oqgPwQHK+hlL37LKhxoRbmGsPj7m6tPt9RACDtN9z1Dnm66c7jGOetSXS t+oXs+I+4JMFvn+qozgmnnTot9+FiFvWfVdhx3kMryPlPlacOjdpyrYkOQY80g4Idy93 7Q4A== X-Gm-Message-State: ABuFfogqsCDxXsYNWSBBBH+1zPtzXqK24iz3fW2N3+szGon4jdixgj27 LdaKE5cKslJtKnF2bGBrmIBTVA08mlj2bugZUFz/ X-Received: by 2002:a2e:44c6:: with SMTP id b67-v6mr6124225ljf.102.1537648966670; Sat, 22 Sep 2018 13:42:46 -0700 (PDT) MIME-Version: 1.0 References: <20180824120001.20771-1-omosnace@redhat.com> <20180824120001.20771-2-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Sat, 22 Sep 2018 16:42:35 -0400 Message-ID: Subject: Re: [PATCH ghak10 v5 1/2] audit: Add functions to log time adjustments To: omosnace@redhat.com Cc: linux-audit@redhat.com, rgb@redhat.com, sgrubb@redhat.com, mlichvar@redhat.com, john.stultz@linaro.org, tglx@linutronix.de, sboyd@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 21, 2018 at 7:21 AM Ondrej Mosnacek wrote: > On Mon, Sep 17, 2018 at 4:51 PM Paul Moore wrote: > > On Mon, Sep 17, 2018 at 8:38 AM Ondrej Mosnacek wrote: > > > On Fri, Sep 14, 2018 at 5:19 AM Paul Moore wrote: > > > > On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek wrote: ... > > Okay, with that in mind, perhaps when recording the offset values we > > omit the "old" values (arguably that doesn't make much sense here) and > > keep the sec/nsec split: > > > > type=TIME_CHANGE [...]: offset_sec= offset_nsec= > > > > ... and for all others we stick with: > > > > type=TIME_CHANGE [...]: ntp_= old= > > Alright, that format would work. However, I would still like to have a > separate type for the offset injection, since it has different field > structure and semantics (difference vs. new+old). I don't see any > reason to sacrifice the distinction for just one record type slot > (AFAIK we technically still have about 2 billion left...). > > (Maybe you just duplicated the record type by mistake, in that case > please disregard the last sentence.) A reasonable guess on the typo, but no that was intentional :) As described above, there is no set field ordering for the TIME_CHANGE record, just like there is not set field ordering for the CONFIG_CHANGE record. Why? We only include the state variables that are being changed instead of including all of the available state variables. Yes, historically there are the "new" and "old" fields, but I don't see that as a strong convention; the special "old=" field name helps prevent confusion. Yes, we aren't really at risk of running out of record types, but why do we *need* two types here? I don't believe the ordering/structure argument is significant in this particular case, and I would much rather see all the time related state changes included in one TIME_CHANGE record. -- paul moore www.paul-moore.com