Re: [PATCH v35 23/29] Audit: Create audit_stamp structure

On Mon, Apr 25, 2022 at 7:31 PM John Johansen <john.johansen(a)canonical.com&gt; wrote: > On 4/18/22 07:59, Casey Schaufler wrote: >> Replace the timestamp and serial number pair used in audit records >> with a structure containing the two elements. >> >> Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com&gt; >> Acked-by: Paul Moore <paul(a)paul-moore.com&gt; >> --- >> kernel/audit.c | 17 +++++++++-------- >> kernel/audit.h | 12 +++++++++--- >> kernel/auditsc.c | 22 +++++++++------------- >> 3 files changed, 27 insertions(+), 24 deletions(-) ... >> diff --git a/kernel/audit.h b/kernel/audit.h >> index 4af63e7dde17..260dab6e0e15 100644 >> --- a/kernel/audit.h >> +++ b/kernel/audit.h >> @@ -108,10 +114,10 @@ struct audit_context { >> AUDIT_CTX_URING, /* in use by io_uring */ >> } context; >> enum audit_state state, current_state; >> + struct audit_stamp stamp; /* event identifier */ >> unsigned int serial; /* serial number for record */ > > shouldn't we be dropping serial from the audit_context, since we have > moved it into the audit_stamp? Unless we make some significant changes to audit_log_start() we still need to preserve a timestamp in the audit_context so that regularly associated audit records can share a common timestamp (which is what groups multiple records into a single "event").