Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
MIME-Version: 1.0
References: <20220418145945.38797-1-casey@schaufler-ca.com>
 <20220418145945.38797-24-casey@schaufler-ca.com> <a1702622-5980-1eb4-1cf8-b6fc6cd98b25@canonical.com>
 <CAHC9VhRzJKAARW1rnUMu0Y6RVo_uq=i=Jzh4LmA9grtQ1W2C1Q@mail.gmail.com>
 <26eca0aa-111a-9473-8925-e4b12cadbd79@canonical.com> <CAHC9VhQQysL8aEt8w5G-nemJzapY-Q4pYKn0TCdnVjpuiTKqhw@mail.gmail.com>
 <4ec176c6-1f66-3951-f40f-1eb0d5b66a09@schaufler-ca.com>
In-Reply-To: <4ec176c6-1f66-3951-f40f-1eb0d5b66a09@schaufler-ca.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 27 Apr 2022 12:02:21 -0400
Message-ID: <CAHC9VhQow5MaC0O-YJHxXh_=SR5eo3+97pznVyUq4YhkTuBBmg@mail.gmail.com>
Subject: Re: [PATCH v35 23/29] Audit: Create audit_stamp structure
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     John Johansen <john.johansen@canonical.com>, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
        linux-audit@redhat.com, keescook@chromium.org,
        penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 4/26/2022 12:18 PM, Paul Moore wrote:
> > On Tue, Apr 26, 2022 at 2:58 PM John Johansen
> > <john.johansen@canonical.com> wrote:
> >> On 4/26/22 11:03, Paul Moore wrote:
> >>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
> >>> <john.johansen@canonical.com> wrote:
> >>>> On 4/18/22 07:59, Casey Schaufler wrote:
> >>>>> Replace the timestamp and serial number pair used in audit records
> >>>>> with a structure containing the two elements.
> >>>>>
> >>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >>>>> Acked-by: Paul Moore <paul@paul-moore.com>
> >>>>> ---
> >>>>>   kernel/audit.c   | 17 +++++++++--------
> >>>>>   kernel/audit.h   | 12 +++++++++---
> >>>>>   kernel/auditsc.c | 22 +++++++++-------------
> >>>>>   3 files changed, 27 insertions(+), 24 deletions(-)
> >>> ...
> >>>
> >>>>> diff --git a/kernel/audit.h b/kernel/audit.h
> >>>>> index 4af63e7dde17..260dab6e0e15 100644
> >>>>> --- a/kernel/audit.h
> >>>>> +++ b/kernel/audit.h
> >>>>> @@ -108,10 +114,10 @@ struct audit_context {
> >>>>>                AUDIT_CTX_URING,        /* in use by io_uring */
> >>>>>        } context;
> >>>>>        enum audit_state    state, current_state;
> >>>>> +     struct audit_stamp  stamp;      /* event identifier */
> >>>>>        unsigned int        serial;     /* serial number for record */
> >>>> shouldn't we be dropping serial from the audit_context, since we have
> >>>> moved it into the audit_stamp?
> >>> Unless we make some significant changes to audit_log_start() we still
> >>> need to preserve a timestamp in the audit_context so that regularly
> >>> associated audit records can share a common timestamp (which is what
> >>> groups multiple records into a single "event").
> >>>
> >> sure, but the patch changes things to use ctx->stamp.serial instead of
> >> ctx->serial ...
> > My apologies, I read your original comment wrong; I was thinking you
> > were suggesting removing the timestamp info from audit_context in
> > favor of using the timestamp info contained in the audit_buffer.
> >
> > Yes, audit_context:serial is no longer needed with audit_context:stamp.
>
> Thank you for catching that. Easy (I expect) fix.
> BTW, I'm not supposed to be working the next few weeks,
> but I should be able to sneak v36 in before the next merge
> window.

Enjoy the time away :)

FWIW, this isn't my call to make, but I would strongly prefer if this
got a *full* run in linux-next before it was merged into Linus' tree
during the merge window.  For example, get this into the LSM -next
tree at -rc1 instead of -rc6.

-- 
paul-moore.com