On Aug 16, 2025 Casey Schaufler <ca...@schaufler-ca.com> wrote: > > Replace the single skb pointer in an audit_buffer with a list of > skb pointers. Add the audit_stamp information to the audit_buffer as > there's no guarantee that there will be an audit_context containing > the stamp associated with the event. At audit_log_end() time create > auxiliary records as have been added to the list. Functions are > created to manage the skb list in the audit_buffer. > > Create a new audit record AUDIT_MAC_TASK_CONTEXTS. > An example of the MAC_TASK_CONTEXTS record is: > > type=MAC_TASK_CONTEXTS > msg=audit(1600880931.832:113) > subj_apparmor=unconfined > subj_smack=_ > > When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the > "subj=" field in other records in the event will be "subj=?". > An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has > multiple security modules that may make access decisions based on a > subject security context. > > Refactor audit_log_task_context(), creating a new audit_log_subj_ctx(). > This is used in netlabel auditing to provide multiple subject security > contexts as necessary. > > Suggested-by: Paul Moore <p...@paul-moore.com> > Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com> > --- > include/linux/audit.h | 16 +++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 208 +++++++++++++++++++++++++++++------ > net/netlabel/netlabel_user.c | 9 +- > security/apparmor/lsm.c | 3 + > security/selinux/hooks.c | 3 + > security/smack/smack_lsm.c | 3 + > 7 files changed, 202 insertions(+), 41 deletions(-)
Merged into audit/dev, thanks. -- paul-moore.com
