From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B3F2C4332F for ; Tue, 26 Apr 2022 19:18:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353846AbiDZTVh (ORCPT ); Tue, 26 Apr 2022 15:21:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347024AbiDZTVf (ORCPT ); Tue, 26 Apr 2022 15:21:35 -0400 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78905644F6 for ; Tue, 26 Apr 2022 12:18:26 -0700 (PDT) Received: by mail-wr1-x429.google.com with SMTP id u3so26831883wrg.3 for ; Tue, 26 Apr 2022 12:18:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D51WhcFY/UMeRUO4RGgJqs3BnSIqLPLR50R7pSPgCJk=; b=41hn5Zs+Qibe7XUS82jY/4Yq9kjs81xMeDW2Al5Wv4emYj7RXpxHg9m/a74sGulFA4 u7y1fTPot16F8zf/57piTeqrziJ+vUuuPyb5/ArPm07y0CptVtmUNy+cPC1+xb7/ZFg6 hJ+GeLntfyA7sCcy02UFG8KSwAVd49QPBMi0gGNIu/M/Sn6ha74BLytHSk5CuzBBUSdB vGt0pDb7OsvHBuTS2jYecFd14v1eBEIRWVzLLoXNdSq6JxWX6Tal26NvfjJkZ0Gj9i+a qv0KixQFvy4J/D9N+b5mlflsWKcS/uT4A4UBBU7+ZlGBMMDvcR672AWcOC+20JFsxnhA UQeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D51WhcFY/UMeRUO4RGgJqs3BnSIqLPLR50R7pSPgCJk=; b=WL6lv/GZRlj1kI4sBmVcM6LPFnrDfYkI+RcyZDl90se9DzZClnYbWdX35PvhwuA2+j IGm754NMX4bP3kb48IIvld3krgvzOR5J0LZgNxVI3TpwoogsAF9zvxa9S0UKks0rgh4U ZxXg424Hia7cJ7dCLwrY4D4vVqIEo+l1tedhNzgc4uesVPLeFNsmivO2C6fmlmlBoMJh LGAz8dnzfRylYdwTrGrXLNTmNuZewJoiQhF54QwLySrh0wV/l1tLubqCGBkuwUYwl+rD QCg8VmHVPv3jL+8nYNwEI8uSabJOVxnKNa/0+9hwe+QXaYj6h5YN9NVZ6isvmiJwfY/o 7rFg== X-Gm-Message-State: AOAM530lgXxwtJ1H0SobENkUcUEkJAjb54SK9MKeS2VGJNVzeHRWQ93A VrovjxR6rpM57A5SUVnXoMQOx3GsB/85hSOPsPfl X-Google-Smtp-Source: ABdhPJyN5wrn3K+iI2j26/cBIbWY3KxJyXj68+WgqqkU4W4HlKBXb8XI2ye1xUXf6KEOe8QcVbMtcJEumNqu4jkWPrM= X-Received: by 2002:a5d:590d:0:b0:20a:c3eb:2584 with SMTP id v13-20020a5d590d000000b0020ac3eb2584mr18829655wrd.18.1651000705042; Tue, 26 Apr 2022 12:18:25 -0700 (PDT) MIME-Version: 1.0 References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-24-casey@schaufler-ca.com> <26eca0aa-111a-9473-8925-e4b12cadbd79@canonical.com> In-Reply-To: <26eca0aa-111a-9473-8925-e4b12cadbd79@canonical.com> From: Paul Moore Date: Tue, 26 Apr 2022 15:18:13 -0400 Message-ID: Subject: Re: [PATCH v35 23/29] Audit: Create audit_stamp structure To: John Johansen Cc: Casey Schaufler , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, keescook@chromium.org, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 26, 2022 at 2:58 PM John Johansen wrote: > On 4/26/22 11:03, Paul Moore wrote: > > On Mon, Apr 25, 2022 at 7:31 PM John Johansen > > wrote: > >> On 4/18/22 07:59, Casey Schaufler wrote: > >>> Replace the timestamp and serial number pair used in audit records > >>> with a structure containing the two elements. > >>> > >>> Signed-off-by: Casey Schaufler > >>> Acked-by: Paul Moore > >>> --- > >>> kernel/audit.c | 17 +++++++++-------- > >>> kernel/audit.h | 12 +++++++++--- > >>> kernel/auditsc.c | 22 +++++++++------------- > >>> 3 files changed, 27 insertions(+), 24 deletions(-) > > > > ... > > > >>> diff --git a/kernel/audit.h b/kernel/audit.h > >>> index 4af63e7dde17..260dab6e0e15 100644 > >>> --- a/kernel/audit.h > >>> +++ b/kernel/audit.h > >>> @@ -108,10 +114,10 @@ struct audit_context { > >>> AUDIT_CTX_URING, /* in use by io_uring */ > >>> } context; > >>> enum audit_state state, current_state; > >>> + struct audit_stamp stamp; /* event identifier */ > >>> unsigned int serial; /* serial number for record */ > >> > >> shouldn't we be dropping serial from the audit_context, since we have > >> moved it into the audit_stamp? > > > > Unless we make some significant changes to audit_log_start() we still > > need to preserve a timestamp in the audit_context so that regularly > > associated audit records can share a common timestamp (which is what > > groups multiple records into a single "event"). > > > sure, but the patch changes things to use ctx->stamp.serial instead of > ctx->serial ... My apologies, I read your original comment wrong; I was thinking you were suggesting removing the timestamp info from audit_context in favor of using the timestamp info contained in the audit_buffer. Yes, audit_context:serial is no longer needed with audit_context:stamp. -- paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4CECAC433F5 for ; Tue, 26 Apr 2022 19:18:37 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-619-fYDJettiP0e1nT7Tyr35cw-1; Tue, 26 Apr 2022 15:18:32 -0400 X-MC-Unique: fYDJettiP0e1nT7Tyr35cw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3747E1C0854C; Tue, 26 Apr 2022 19:18:31 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6612314682C6; Tue, 26 Apr 2022 19:18:30 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D6D7A1947BBB; Tue, 26 Apr 2022 19:18:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4730F19451F0 for ; Tue, 26 Apr 2022 19:18:28 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 352C140FD34C; Tue, 26 Apr 2022 19:18:28 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast10.extmail.prod.ext.rdu2.redhat.com [10.11.55.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 30BBA40FD341 for ; Tue, 26 Apr 2022 19:18:28 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 174531C08540 for ; Tue, 26 Apr 2022 19:18:28 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-164-p_xtoXEINp2T0dRIT2HmTw-1; Tue, 26 Apr 2022 15:18:26 -0400 X-MC-Unique: p_xtoXEINp2T0dRIT2HmTw-1 Received: by mail-wr1-f53.google.com with SMTP id w4so26760248wrg.12 for ; Tue, 26 Apr 2022 12:18:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D51WhcFY/UMeRUO4RGgJqs3BnSIqLPLR50R7pSPgCJk=; b=CYqlw7M6UOmE4t0xc9555gOcshmz3z8sHjrWR4dmYv0GfvywUBHQOu5BnkEp4u1HDh 29tBepZTtC2+JYijIcb63H3UkXFjTKQQ7A0VjT83VlkX9roOeeV/zw1jncacYjJ9OFXq FglV841XueddQORdIHT7bR9mtaedSc7MuFD7out+Hu/833U4j2Bf2vMsCMxpsCz1Nmol S/+PJOqjI+10x2+9zZXr1J0A3/ohnijRuzx315YZ5n/phRL7Cc2dVx/3ylWBVc8wYbo4 bi8eE4dkpbX7354RG6GGXXUNZBP5PC4kUfXeKkmC/diRexBDvTLn1tcYtn3iLHhhMu3+ VQxA== X-Gm-Message-State: AOAM530odKtuKHH2Se6aq2Os2QfJTTpVRobfnYXotn2d2UF05NvxQ3xE zFyQ+VMrkl7N/E4HI6RKI2XG6TQUfTANwToIPRH5 X-Google-Smtp-Source: ABdhPJyN5wrn3K+iI2j26/cBIbWY3KxJyXj68+WgqqkU4W4HlKBXb8XI2ye1xUXf6KEOe8QcVbMtcJEumNqu4jkWPrM= X-Received: by 2002:a5d:590d:0:b0:20a:c3eb:2584 with SMTP id v13-20020a5d590d000000b0020ac3eb2584mr18829655wrd.18.1651000705042; Tue, 26 Apr 2022 12:18:25 -0700 (PDT) MIME-Version: 1.0 References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-24-casey@schaufler-ca.com> <26eca0aa-111a-9473-8925-e4b12cadbd79@canonical.com> In-Reply-To: <26eca0aa-111a-9473-8925-e4b12cadbd79@canonical.com> From: Paul Moore Date: Tue, 26 Apr 2022 15:18:13 -0400 Message-ID: Subject: Re: [PATCH v35 23/29] Audit: Create audit_stamp structure To: John Johansen X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: selinux@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, casey.schaufler@intel.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, Apr 26, 2022 at 2:58 PM John Johansen wrote: > On 4/26/22 11:03, Paul Moore wrote: > > On Mon, Apr 25, 2022 at 7:31 PM John Johansen > > wrote: > >> On 4/18/22 07:59, Casey Schaufler wrote: > >>> Replace the timestamp and serial number pair used in audit records > >>> with a structure containing the two elements. > >>> > >>> Signed-off-by: Casey Schaufler > >>> Acked-by: Paul Moore > >>> --- > >>> kernel/audit.c | 17 +++++++++-------- > >>> kernel/audit.h | 12 +++++++++--- > >>> kernel/auditsc.c | 22 +++++++++------------- > >>> 3 files changed, 27 insertions(+), 24 deletions(-) > > > > ... > > > >>> diff --git a/kernel/audit.h b/kernel/audit.h > >>> index 4af63e7dde17..260dab6e0e15 100644 > >>> --- a/kernel/audit.h > >>> +++ b/kernel/audit.h > >>> @@ -108,10 +114,10 @@ struct audit_context { > >>> AUDIT_CTX_URING, /* in use by io_uring */ > >>> } context; > >>> enum audit_state state, current_state; > >>> + struct audit_stamp stamp; /* event identifier */ > >>> unsigned int serial; /* serial number for record */ > >> > >> shouldn't we be dropping serial from the audit_context, since we have > >> moved it into the audit_stamp? > > > > Unless we make some significant changes to audit_log_start() we still > > need to preserve a timestamp in the audit_context so that regularly > > associated audit records can share a common timestamp (which is what > > groups multiple records into a single "event"). > > > sure, but the patch changes things to use ctx->stamp.serial instead of > ctx->serial ... My apologies, I read your original comment wrong; I was thinking you were suggesting removing the timestamp info from audit_context in favor of using the timestamp info contained in the audit_buffer. Yes, audit_context:serial is no longer needed with audit_context:stamp. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit