From 38c9d998dfb85eeb1e78744e4fabb72f6d68feb8 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Tue, 4 Dec 2018 01:41:37 +0000
Subject: [PATCH] Update apparmor_kernel_development_guide_notifications

---
 apparmor_kernel_development_guide_notifications.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor_kernel_development_guide_notifications.md b/apparmor_kernel_development_guide_notifications.md
index 4761b1f..8d032d8 100644
--- a/apparmor_kernel_development_guide_notifications.md
+++ b/apparmor_kernel_development_guide_notifications.md
@@ -43,7 +43,10 @@ If a notification is determined to be needed the audit message is queued up on t
 
 ## Audit messages and allocations
 
-The queue of audit messages requires that they be allocated via heap memory, but we also don't want the regular audit path to fail. ???
+The queue of audit messages requires that they be allocated via heap memory, but we also don't want the regular audit path to fail.
+
+Atm the initial audit struct is allocated on the stack, if an audit message is to go to notifications, a new audit structure is allocated from a kmem_cache of audit message objects. This reduces the chance of failure, and allows per cpu caching of the audit struct.
+
 
 It does however require that audit messages are NOT allocated from the stac