Re: [PATCH v35 23/29] Audit: Create audit_stamp structure

From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <paul@paul-moore.com>
Cc: John Johansen <john.johansen@canonical.com>,
	jmorris@namei.org, linux-security-module@vger.kernel.org,
	selinux@vger.kernel.org, linux-audit@redhat.com,
	keescook@chromium.org, penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v35 23/29] Audit: Create audit_stamp structure
Date: Wed, 27 Apr 2022 13:55:12 -0700	[thread overview]
Message-ID: <8bb21e2c-0c09-86ec-13a7-3e316c145ab7@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhQow5MaC0O-YJHxXh_=SR5eo3+97pznVyUq4YhkTuBBmg@mail.gmail.com>

On 4/27/2022 9:02 AM, Paul Moore wrote:
> On Wed, Apr 27, 2022 at 11:49 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 4/26/2022 12:18 PM, Paul Moore wrote:
>>> On Tue, Apr 26, 2022 at 2:58 PM John Johansen
>>> <john.johansen@canonical.com> wrote:
>>>> On 4/26/22 11:03, Paul Moore wrote:
>>>>> On Mon, Apr 25, 2022 at 7:31 PM John Johansen
>>>>> <john.johansen@canonical.com> wrote:
>>>>>> On 4/18/22 07:59, Casey Schaufler wrote:
>>>>>>> Replace the timestamp and serial number pair used in audit records
>>>>>>> with a structure containing the two elements.
>>>>>>>
>>>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>>>>> ---
>>>>>>>    kernel/audit.c   | 17 +++++++++--------
>>>>>>>    kernel/audit.h   | 12 +++++++++---
>>>>>>>    kernel/auditsc.c | 22 +++++++++-------------
>>>>>>>    3 files changed, 27 insertions(+), 24 deletions(-)
>>>>> ...
>>>>>
>>>>>>> diff --git a/kernel/audit.h b/kernel/audit.h
>>>>>>> index 4af63e7dde17..260dab6e0e15 100644
>>>>>>> --- a/kernel/audit.h
>>>>>>> +++ b/kernel/audit.h
>>>>>>> @@ -108,10 +114,10 @@ struct audit_context {
>>>>>>>                 AUDIT_CTX_URING,        /* in use by io_uring */
>>>>>>>         } context;
>>>>>>>         enum audit_state    state, current_state;
>>>>>>> +     struct audit_stamp  stamp;      /* event identifier */
>>>>>>>         unsigned int        serial;     /* serial number for record */
>>>>>> shouldn't we be dropping serial from the audit_context, since we have
>>>>>> moved it into the audit_stamp?
>>>>> Unless we make some significant changes to audit_log_start() we still
>>>>> need to preserve a timestamp in the audit_context so that regularly
>>>>> associated audit records can share a common timestamp (which is what
>>>>> groups multiple records into a single "event").
>>>>>
>>>> sure, but the patch changes things to use ctx->stamp.serial instead of
>>>> ctx->serial ...
>>> My apologies, I read your original comment wrong; I was thinking you
>>> were suggesting removing the timestamp info from audit_context in
>>> favor of using the timestamp info contained in the audit_buffer.
>>>
>>> Yes, audit_context:serial is no longer needed with audit_context:stamp.
>> Thank you for catching that. Easy (I expect) fix.
>> BTW, I'm not supposed to be working the next few weeks,
>> but I should be able to sneak v36 in before the next merge
>> window.
> Enjoy the time away :)
>
> FWIW, this isn't my call to make, but I would strongly prefer if this
> got a *full* run in linux-next before it was merged into Linus' tree
> during the merge window.  For example, get this into the LSM -next
> tree at -rc1 instead of -rc6.

I am in complete agreement. There's too much Murphy to rush it.