Re: [PATCH 17/21] audit: Use timespec64 to represent audit timestamps
On Thu, Jun 9, 2016 at 7:31 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> Audit timestamps are recorded in string format into
> an audit buffer for a given context.
> These mark the entry timestamps for the syscalls.
> Use y2038 safe struct timespec64 to represent the times.
> The log strings can handle this transition as strings can
> hold upto 1024 characters.
Have you tested this with ausearch or any audit utilities? As an aside, a time
stamp that is up to 1024 characters long is terribly wasteful considering how
many events we get.
/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
* audit records. Since printk uses a 1024 byte buffer, this buffer
* should be at least that large. */
#define AUDIT_BUFSIZ 1024
The commit text is pointing out that the reserve space ensured in each
call to audit_log_vformat is already much more than is needed by this
call from audit_log_start.
Also, since struct timespec64 is already the same as struct timespec
on 64-bit systems, there is really no functional change except on
32-bit machines.
Let me know if you want me to try it out on a 32-bit system.
-Deepa