On Thu, Jun 9, 2016 at 7:31 AM, Steve Grubb sgrubb@redhat.com wrote:
On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
Audit timestamps are recorded in string format into an audit buffer for a given context. These mark the entry timestamps for the syscalls. Use y2038 safe struct timespec64 to represent the times. The log strings can handle this transition as strings can hold upto 1024 characters.
Have you tested this with ausearch or any audit utilities? As an aside, a time stamp that is up to 1024 characters long is terribly wasteful considering how many events we get.
/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting * audit records. Since printk uses a 1024 byte buffer, this buffer * should be at least that large. */ #define AUDIT_BUFSIZ 1024
The commit text is pointing out that the reserve space ensured in each call to audit_log_vformat is already much more than is needed by this call from audit_log_start.
Also, since struct timespec64 is already the same as struct timespec on 64-bit systems, there is really no functional change except on 32-bit machines.
Let me know if you want me to try it out on a 32-bit system.
-Deepa