Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4364524ioa; Wed, 27 Apr 2022 02:02:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2ulOxIv/sfmqgLvismGUGlIkjCEB7l0iEm10SMLxTWr5cejRrgcEp3+Fr3SIDF6bhOFL9 X-Received: by 2002:a05:6a00:16c7:b0:4f7:e497:69b8 with SMTP id l7-20020a056a0016c700b004f7e49769b8mr28723076pfc.6.1651050141170; Wed, 27 Apr 2022 02:02:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651050141; cv=none; d=google.com; s=arc-20160816; b=XMUoNNAaT+Pl7uMWdT8OUY2Gy9FnV+RNRHm6YQmbO6+gvyJRyW3cBUddpVxEHvt6Cw r1Ym8ZoxPK3yz15mK4CbeXnnbLyHpanJZLFTYi0GjTsigS8oRAZpgriBD7v+2G7ojiGZ 0m1A0swv4UJhCsn7a+jkp/3fJ8JMlzl4u3/FZacXAh7p902SL+fE7oUvx3ojFrEdsiyx MXLZ2vOioXKpyqEpg4T8gLswoTldja5FAniN5G+ghgqI9Vd2OXi3WOxJjkyFvQb3xuXQ +arpVWvp8op6XT83RX1KKai12C9/mqjM0TKFveZ+XKfAx+QJiNQ4GXzopr9Ia0sqciGj lzgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=+onuqX07NQLVnhG5hcq84PDJSKTGZ1KYCLEC+GQraSM=; b=BdR+vPreWj1GpfiWZ03YdY2HNMlIC6jTVj8QylHkiOpbZSeM9WIgGoCC3JFkdDsRIv Ov6AmgMU7r7IHHy1fHUea+DeYE8m6WfqOUKGERe0xT3EZ67Q6W+a3jqrwKt4oklpw+ox 0GIty1aPLVDLPDS41Jea60hJ9WcTppDb2bOnJfBD4CmBoitDbNElDcx+KjUIbY8azHFz fbY1PMlsk+9ltW+F+ax0YWt1htNRQbE4BAnWPV8zRyzMrm/xsh7CwFYfD92KfPtxIssS avicy666CZh4gOlQZXAoexc1ZGYqDGTvb7LOQqFlE8ueoSqQENiThwMt9AdnmwLwkUkq RUDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=g9bTjXUu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id x4-20020a1709029a4400b00153b2d16579si955034plv.385.2022.04.27.02.02.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Apr 2022 02:02:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=g9bTjXUu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 664BD110973; Wed, 27 Apr 2022 01:55:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353604AbiDZSGZ (ORCPT + 99 others); Tue, 26 Apr 2022 14:06:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353590AbiDZSGX (ORCPT ); Tue, 26 Apr 2022 14:06:23 -0400 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 066C827CE6 for ; Tue, 26 Apr 2022 11:03:15 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id v12so19750521wrv.10 for ; Tue, 26 Apr 2022 11:03:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+onuqX07NQLVnhG5hcq84PDJSKTGZ1KYCLEC+GQraSM=; b=g9bTjXUuVtqu1ley+eg3MvLbTvaYERrW5DcPicHR1kWNztwsyfpkcmbfZfHxABsFEg BVECFAUSQ9C//qUwXLRfuDlS0cyxk5b4cUZjKfeJ+Ficd/SCYht0Z5/7Qjw5F92uETD4 W6PK89d0AnfnmFotKNSOfuyhYT3FTq2C9k5suv0XrHigSwB2KhAz3T+lcqNyl81W1NMk 0F/9/3+MN7KCB3ETbGL1FeZbFzTTc70LjoPM8DwCwaPx+q+akt57kCMz6ivxKwRExdPG TxmSUhaNMXlfVjkeyaQHPVs/8m60zXsizWZsE/3vt/c/CXm23lSqE4zdSxOczOEOth03 1gpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+onuqX07NQLVnhG5hcq84PDJSKTGZ1KYCLEC+GQraSM=; b=G+XTvzH2jf05L9MzWeetLa0Yun0O/V7tGBRuAE303P23YUfhMZdxAQs6ZpnCSt72cW XikDnARxvF7uwW9pIM1LJNwf3365rYBcT4f6kQ6Xkz17P3ho36NNQKTse3ZyJ2GscO/+ bAmDP2mEtAy5ftuEK3M0Dh8SLX6a3To4BlRqYWnTmvmPXEApp6atl1Wb9UloX3rPwVgK jUgPYYKltNpDKqGqQ4OzLNkEqi32IcJqs2qzvavFkeM0PSzu0Mcqesm5BSizfqEb/YyX LN5V5cc6HKp6ECj7jNqf7KwQS9lwBv5FxHZNZtRDbDdN0bLDZ3o0MYVw4cs5xRIMOBfs 5NQA== X-Gm-Message-State: AOAM533WmiRewxhvhKGYBRWEtnZayAACSy9O0wkBrnIJdDSm3GEdB5F7 wjnNElXbcwpOgCj4RbMnngGe+9cQNlH+sWT/6cFN X-Received: by 2002:a5d:590d:0:b0:20a:c3eb:2584 with SMTP id v13-20020a5d590d000000b0020ac3eb2584mr18627797wrd.18.1650996193497; Tue, 26 Apr 2022 11:03:13 -0700 (PDT) MIME-Version: 1.0 References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-24-casey@schaufler-ca.com> In-Reply-To: From: Paul Moore Date: Tue, 26 Apr 2022 14:03:02 -0400 Message-ID: Subject: Re: [PATCH v35 23/29] Audit: Create audit_stamp structure To: John Johansen Cc: Casey Schaufler , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, keescook@chromium.org, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 25, 2022 at 7:31 PM John Johansen wrote: > On 4/18/22 07:59, Casey Schaufler wrote: > > Replace the timestamp and serial number pair used in audit records > > with a structure containing the two elements. > > > > Signed-off-by: Casey Schaufler > > Acked-by: Paul Moore > > --- > > kernel/audit.c | 17 +++++++++-------- > > kernel/audit.h | 12 +++++++++--- > > kernel/auditsc.c | 22 +++++++++------------- > > 3 files changed, 27 insertions(+), 24 deletions(-) ... > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 4af63e7dde17..260dab6e0e15 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -108,10 +114,10 @@ struct audit_context { > > AUDIT_CTX_URING, /* in use by io_uring */ > > } context; > > enum audit_state state, current_state; > > + struct audit_stamp stamp; /* event identifier */ > > unsigned int serial; /* serial number for record */ > > shouldn't we be dropping serial from the audit_context, since we have > moved it into the audit_stamp? Unless we make some significant changes to audit_log_start() we still need to preserve a timestamp in the audit_context so that regularly associated audit records can share a common timestamp (which is what groups multiple records into a single "event"). FWIW, I'm working on some patches which will make a lot of this better in the future, but they aren't ready yet and would almost surely land after the stacking patches. Audit will get better at some point in the future, I promise :) -- paul-moore.com