[RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules

Paul Moore paul at paul-moore.com
Mon Dec 27 15:07:30 UTC 2021 

On Fri, Dec 24, 2021 at 9:21 AM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2021-12-23 12:38, Paul Moore wrote:
> > On Tue, Dec 21, 2021 at 3:50 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > > On 2021-11-24 10:44, Paul Moore wrote:
> > > > You mentioned that you wanted to do some more work on this patch so
> > > > I'll hold off further comments until the updated patch is posted.
> > >
> > > I had a look at this patch and there is no further adjustment needed.
> > > The only note is that the AUDIT_TIME_ADJNTPVAL record is printed at the
> > > top of show_special() due to the need to potentially allocate multiple
> > > records.  Do you think this requires a comment in the description or
> > > in the code just above the call to __audit_ntp_log_()?
> > >
> > > If not, please merge it at your convenience.  Sorry to have dropped this
> > > ball.
> >
> > No worries, I'll put the patch back on the to-review pile.  However,
> > since we are at -rc6 this week with the holidays in full swing it
> > seems like this is something that we should defer merging until after
> > the upcoming merge window closes.  Now that this is no longer a RFC,
> > I'll try to take a closer look and offer any additional review
> > feedback next week.
>
> Darn, missed another merge window.  My fault for dropping the ball.

I know you are well aware of this policy Richard, but for others who
may be watching this, I don't like to take significant changes into
-next much past the -rc5/-rc6 boundary unless it is a critical bug
fix.  While this particular patch might not be very large, it is a
user visible change which makes it a "significant change" in my
opinion.

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/tree/README.md

> If I might advocate, it is a bugfix rather than a feature...

Maybe.  I can see an argument for viewing it that way, but I also see
it as a user visible change.  Taking into account where we are at in
the current -rcX cycle, the fact that large portions of the kernel
development community are in the midst of various end-of-year
holidays, and the nature of the patch, I feel it is better to give
this more than a week or two in -next.

I also feel that if this was truly that important, we would have seen
more urgency and comments associated with the patch.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list